General

  • Target

    Booking Reclamo.rar

  • Size

    1KB

  • Sample

    220711-qba6zahcfj

  • MD5

    a8f1175d93997c603efee5e8cfb048b8

  • SHA1

    2b04d461f4af94125954752e13655e4512ac5d93

  • SHA256

    75e7d9d5674a9274db2a258cefd7c03cd076d9615c580df36adc08b22f61333a

  • SHA512

    5ccb0f4622442009a6ff1550b9a9388500a0be31716511f8e6ecfb6bf93ed4c552575e9b6ab673730ec4551731cc728800bdf1aad7ca7a3c3ca3cf68df04a56e

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://20.231.55.108/dll/06-07-2022.PDF

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

venomsi.mypsx.net:81

Mutex

4c6c9a1bbdc34e6ebe

Attributes
  • reg_key

    4c6c9a1bbdc34e6ebe

  • splitter

    @!#&^%$

Targets

    • Target

      Booking Reclamo/Comprobante EDO DE CUENTA.pdf.lnk

    • Size

      2KB

    • MD5

      989a37a957676b33b4f844b510ac8a73

    • SHA1

      fd521bf0365d7af925879d7b66dc54025051adb6

    • SHA256

      ff0fd20583b4a4095e261eeeaba1b8be7be1fa837af4c882c9fe093bfd7892ea

    • SHA512

      93ce019d8ff4b220199e5b2a4eda2d3717f368f7b890eed8eb04aac1dc56e9c2e5dc50b19eb4efde577b58168405eec55b787a80ca670e0e81119dc7943706dc

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • suricata: ET MALWARE Powershell commands sent B64 2

      suricata: ET MALWARE Powershell commands sent B64 2

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks