General
-
Target
J2M39FDF6S4Payment-Receipt.vbs
-
Size
678B
-
Sample
211210-qeyfnsged9
-
MD5
b67877753da5f71beaf34d615e62eb64
-
SHA1
ed2f04df466fb864485812ce9ab852eab9b98ed6
-
SHA256
06bfee44b0f11ee2da20d9c957821c0fd50a9c6da4bf074a543f99a3de372a5d
-
SHA512
be96eab5962d4da3b254a826c6b805a04ea93ecd555add745aed6f6134a945ff76742a8a22a9e5c5de14ed6c2ea89e86c7e55a0cdd4f0156ab41db25a56b1c28
Static task
static1
Behavioral task
behavioral1
Sample
J2M39FDF6S4Payment-Receipt.vbs
Resource
win7-en-20211208
Malware Config
Extracted
https://transfer.sh/get/w31OTk/bypas.txt
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Extracted
nanocore
1.2.2.0
nov6400.duckdns.org:6400
513706f3-29db-4e99-a51e-059607a7bc45
-
activate_away_mode
true
-
backup_connection_host
nov6400.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-09-17T19:15:29.081949136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6400
-
default_group
nov 6400
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
513706f3-29db-4e99-a51e-059607a7bc45
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
nov6400.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
J2M39FDF6S4Payment-Receipt.vbs
-
Size
678B
-
MD5
b67877753da5f71beaf34d615e62eb64
-
SHA1
ed2f04df466fb864485812ce9ab852eab9b98ed6
-
SHA256
06bfee44b0f11ee2da20d9c957821c0fd50a9c6da4bf074a543f99a3de372a5d
-
SHA512
be96eab5962d4da3b254a826c6b805a04ea93ecd555add745aed6f6134a945ff76742a8a22a9e5c5de14ed6c2ea89e86c7e55a0cdd4f0156ab41db25a56b1c28
-
BitRAT Payload
-
Blocklisted process makes network request
-
Modifies Windows Firewall
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-