General

  • Target

    08ce84e90aeb685e22efe8dad5d12ad1.vbs

  • Size

    184KB

  • Sample

    220531-vk4bbsfecr

  • MD5

    08ce84e90aeb685e22efe8dad5d12ad1

  • SHA1

    fe33c25483bf411fae668acca7e159af1fa1ca4c

  • SHA256

    392e1b6d5a343eefbc9e05323aadab4074a56c9edb7554b8085f45d319d837b7

  • SHA512

    42bff67e635ccb5d4c7ae1198dd4882ebfae95b9a02ff14bc9d8ea69b6bff504daf19a67374f5bbf9b94390466e51efe4ec3363c3aef2b3a5ba5b3a61dbb7990

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://91.241.19.49/CRYPT/Flechas10DLL.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

wibnj.duckdns.org:57831

Mutex

549d524552

Attributes
  • reg_key

    549d524552

  • splitter

    @!#&^%$

Targets

    • Target

      08ce84e90aeb685e22efe8dad5d12ad1.vbs

    • Size

      184KB

    • MD5

      08ce84e90aeb685e22efe8dad5d12ad1

    • SHA1

      fe33c25483bf411fae668acca7e159af1fa1ca4c

    • SHA256

      392e1b6d5a343eefbc9e05323aadab4074a56c9edb7554b8085f45d319d837b7

    • SHA512

      42bff67e635ccb5d4c7ae1198dd4882ebfae95b9a02ff14bc9d8ea69b6bff504daf19a67374f5bbf9b94390466e51efe4ec3363c3aef2b3a5ba5b3a61dbb7990

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks