General

  • Target

    a0710cc802f4339ff34a3c352398cd8b.vbs

  • Size

    828KB

  • Sample

    220526-vh525shbfp

  • MD5

    a0710cc802f4339ff34a3c352398cd8b

  • SHA1

    f4416cf898162df5e59ccc9f2fe646d54316d569

  • SHA256

    469e814ea9419f0a247d1eff3ed9aee9083d92a3975786bacb682bfa6af542a4

  • SHA512

    339aee395da23e72bb1f7fe30c5da4c191a819ed526e5226a94761b6274f8468697ca7d980a38838baf424bca2e1ecd18a4b04dbf3716411b4791f2d0f5510e6

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.106.232.4/dll/26-05-2022-StartUp.pdf

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

2605mayo5434.duckdns.org:5434

Mutex

2edbba685e604255b6

Attributes
  • reg_key

    2edbba685e604255b6

  • splitter

    @!#&^%$

Targets

    • Target

      a0710cc802f4339ff34a3c352398cd8b.vbs

    • Size

      828KB

    • MD5

      a0710cc802f4339ff34a3c352398cd8b

    • SHA1

      f4416cf898162df5e59ccc9f2fe646d54316d569

    • SHA256

      469e814ea9419f0a247d1eff3ed9aee9083d92a3975786bacb682bfa6af542a4

    • SHA512

      339aee395da23e72bb1f7fe30c5da4c191a819ed526e5226a94761b6274f8468697ca7d980a38838baf424bca2e1ecd18a4b04dbf3716411b4791f2d0f5510e6

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    • suricata: ET MALWARE Powershell commands sent B64 2

      suricata: ET MALWARE Powershell commands sent B64 2

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks