General

  • Target

    ComprovanteXdeXpagamento.ppam

  • Size

    16KB

  • Sample

    220107-khlndscdgr

  • MD5

    24837cf811c93b906c06d3db85b85be7

  • SHA1

    472997f54ba0814a76e93657b16bb87d97aba2cf

  • SHA256

    edba3ca498110106418658167533034aeb929276fe81de80c6de1a6bb95120e0

  • SHA512

    60eae17e267d406e9b01f8858482a9bfb47d0cf89aa56f2f533e659cbcdb9f55c1b9db2f87dab3c201b838764b5c17d9bc535ae9ed42dbd0464e59a3951cd9d7

Score
10/10

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

fidapeste2.duckdns.org:5552

Mutex

a918117a6dc84b8a

Attributes
  • reg_key

    a918117a6dc84b8a

  • splitter

    @!#&^%$

Targets

    • Target

      ComprovanteXdeXpagamento.ppam

    • Size

      16KB

    • MD5

      24837cf811c93b906c06d3db85b85be7

    • SHA1

      472997f54ba0814a76e93657b16bb87d97aba2cf

    • SHA256

      edba3ca498110106418658167533034aeb929276fe81de80c6de1a6bb95120e0

    • SHA512

      60eae17e267d406e9b01f8858482a9bfb47d0cf89aa56f2f533e659cbcdb9f55c1b9db2f87dab3c201b838764b5c17d9bc535ae9ed42dbd0464e59a3951cd9d7

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks