General

  • Target

    ef51f5588cebd20ca6a46a320b14c9de.vbs

  • Size

    213KB

  • Sample

    220809-zthhfahfe7

  • MD5

    ef51f5588cebd20ca6a46a320b14c9de

  • SHA1

    ad41361e71e54d698ef7dfc73ed301fb6585964a

  • SHA256

    9618eefb437302f8ef0baa9cc6ec6f6e9ba7fe94447d88202ab5ec9b033bf110

  • SHA512

    6e81da5cebfa44488d9dee5cf3962b3e17cae36123a48dbc2e5cf7c96d64ddc48505120d720c61eed393524f05200160b5715da9e3bc7143d5b2c16b69bc66e5

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://91.241.19.49/MCK/FRAK.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

gfxcvfgsewrwrqwergvcbx.duckdns.org:9998

Mutex

52c3af89f78848a0b69

Attributes
  • reg_key

    52c3af89f78848a0b69

  • splitter

    @!#&^%$

Targets

    • Target

      ef51f5588cebd20ca6a46a320b14c9de.vbs

    • Size

      213KB

    • MD5

      ef51f5588cebd20ca6a46a320b14c9de

    • SHA1

      ad41361e71e54d698ef7dfc73ed301fb6585964a

    • SHA256

      9618eefb437302f8ef0baa9cc6ec6f6e9ba7fe94447d88202ab5ec9b033bf110

    • SHA512

      6e81da5cebfa44488d9dee5cf3962b3e17cae36123a48dbc2e5cf7c96d64ddc48505120d720c61eed393524f05200160b5715da9e3bc7143d5b2c16b69bc66e5

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks