General

  • Target

    Incumplimiento en pago.vbs.zip

  • Size

    2KB

  • Sample

    220610-p6el7sffd2

  • MD5

    f155cd317af255b32b109b28f46b24f1

  • SHA1

    a986d74be046656fb8e0faadfd0ace8b7e60f0fd

  • SHA256

    f2b20f472de65e328684a0fcdabfce00a8893b38c0480a9394af0af25a87ed16

  • SHA512

    111bac2ea0ea3c4750f0c807f491e84a0ce24bcbd9d60bd88eb0ac93cbef2ab5742064a800e54a2c00a9f7387a40b2d58c10799747e711527a4a5406749fc237

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://wpsshop.online/Dll/RodaRarodll.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

nj2020.duckdns.org:2020

Mutex

fcc1d4df850

Attributes
  • reg_key

    fcc1d4df850

  • splitter

    @!#&^%$

Targets

    • Target

      Incumplimiento en pago.vbs

    • Size

      210KB

    • MD5

      349bd170f4cd652b9117c9b159f9bdcc

    • SHA1

      d70dd4ea4f22180eca39d9ca09b777d2193d91ff

    • SHA256

      6808952224709928c7f2d9f7bb9f8bfd404e16b686e6aa8947f6ea9bc66be3ce

    • SHA512

      d85952fb863ae733002dc6b8fc8718578357584106cfc11d6b2d8d5326973bfa85c1da9b830fda6e515e2a53c90f8481fff130192853c5877d06f456c59bbece

    Score
    10/10
    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks