General
-
Target
K2M17C5X4Payment-Receipt.vbs
-
Size
679B
-
Sample
211208-xs8bcsaccj
-
MD5
00b87aa69cc2affee76e1dcfefe2a5f0
-
SHA1
c05f10020b72265500b6a60aa44bc25b6dc2164c
-
SHA256
20c16f86d064ace9aba5b2a46939234aa154d6f1bd86d823d7baa31eb291c758
-
SHA512
4ccf08698b421c6cf19536bc6e82d420af1a9ce1cf95f1b14e92f7537ae9f921e633eebb0d4a236837091de815b1203f2e8e3309a17c2e3c06876744f5df3c43
Static task
static1
Behavioral task
behavioral1
Sample
K2M17C5X4Payment-Receipt.vbs
Resource
win7-en-20211208
Malware Config
Extracted
https://transfer.sh/get/8HmK8m/bypass.txt
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Extracted
nanocore
1.2.2.0
nov6400.duckdns.org:6400
513706f3-29db-4e99-a51e-059607a7bc45
-
activate_away_mode
true
-
backup_connection_host
nov6400.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-09-17T19:15:29.081949136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6400
-
default_group
nov 6400
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
513706f3-29db-4e99-a51e-059607a7bc45
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
nov6400.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
K2M17C5X4Payment-Receipt.vbs
-
Size
679B
-
MD5
00b87aa69cc2affee76e1dcfefe2a5f0
-
SHA1
c05f10020b72265500b6a60aa44bc25b6dc2164c
-
SHA256
20c16f86d064ace9aba5b2a46939234aa154d6f1bd86d823d7baa31eb291c758
-
SHA512
4ccf08698b421c6cf19536bc6e82d420af1a9ce1cf95f1b14e92f7537ae9f921e633eebb0d4a236837091de815b1203f2e8e3309a17c2e3c06876744f5df3c43
-
BitRAT Payload
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Blocklisted process makes network request
-
Modifies Windows Firewall
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-