njrat | fa0c16419a4f2e838f7f9f72f252b5f391da16d47910c1a7a84d8e3b01d1b550 | Triage

Sharing

General

Target

92baf7d1d57f1c7c6368c79646304ddb.vbs
Size

488KB
Sample

211227-yq6v7adba6
MD5

92baf7d1d57f1c7c6368c79646304ddb
SHA1

243ea00cea30c24c463b2263479502481458ec41
SHA256

fa0c16419a4f2e838f7f9f72f252b5f391da16d47910c1a7a84d8e3b01d1b550
SHA512

7ddb663e69b9cec619c9211052d3df31b942d7cc56c6c9da4d469ce09c072559eb24544f64974a42c36e9eeb324c30a22029a93e2f04dceeb036c66bc9020c60

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.49/ramdes/treboldll.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

revg.duckdns.org:57831

Mutex

ebef4abe57d24e8

Attributes

reg_key
ebef4abe57d24e8
splitter
@!#&^%$

Targets

- Target
  
  92baf7d1d57f1c7c6368c79646304ddb.vbs
- Size
  
  488KB
- MD5
  
  92baf7d1d57f1c7c6368c79646304ddb
- SHA1
  
  243ea00cea30c24c463b2263479502481458ec41
- SHA256
  
  fa0c16419a4f2e838f7f9f72f252b5f391da16d47910c1a7a84d8e3b01d1b550
- SHA512
  
  7ddb663e69b9cec619c9211052d3df31b942d7cc56c6c9da4d469ce09c072559eb24544f64974a42c36e9eeb324c30a22029a93e2f04dceeb036c66bc9020c60
Score

10^/10

njrat nyan cat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

njratnyan cattrojan