njrat | 46910a6dfb9487947703a1f69d55e76b0d6bdc560a5ed85e7fd65c48924ea6b6 | Triage

Sharing

General

Target

2471384713084738.vbs
Size

484KB
Sample

220112-k5439acaa8
MD5

c411c39688a4e3be08e80fcef384b448
SHA1

2970efe8b3902cd3edb2d41258b1888e494eef37
SHA256

46910a6dfb9487947703a1f69d55e76b0d6bdc560a5ed85e7fd65c48924ea6b6
SHA512

8bc088ce4b622e3a0cf7111eaae437cfa2211c6bfca248f6e42a166a6eede54c65fee73cf64652e8c3dd5d2f3764c556677e1bfd195873d491f5d7e7cf3ae0ee

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://149.56.200.165/dll/3.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

david123456.duckdns.org:9000

Mutex

b14f9f9db82b4

Attributes

reg_key
b14f9f9db82b4
splitter
@!#&^%$

Targets

- Target
  
  2471384713084738.vbs
- Size
  
  484KB
- MD5
  
  c411c39688a4e3be08e80fcef384b448
- SHA1
  
  2970efe8b3902cd3edb2d41258b1888e494eef37
- SHA256
  
  46910a6dfb9487947703a1f69d55e76b0d6bdc560a5ed85e7fd65c48924ea6b6
- SHA512
  
  8bc088ce4b622e3a0cf7111eaae437cfa2211c6bfca248f6e42a166a6eede54c65fee73cf64652e8c3dd5d2f3764c556677e1bfd195873d491f5d7e7cf3ae0ee
Score

10^/10

njrat nyan cat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratnyan cattrojan