General

  • Target

    004.vbs

  • Size

    217KB

  • Sample

    221012-w697fafeal

  • MD5

    9c28dc451989b0976c1ef4bd80841148

  • SHA1

    a49b80391827b4edc9095ff8667d31967c7d5bf4

  • SHA256

    5e616efa5ea49eaf66bf377e5a6e5ad24d7c0918e0a568f0888e2053a2964de1

  • SHA512

    9141b1c5ee45b322263fc6cb6821760aed5253e4fff29846554428683ecbb494289dcde721bcfea72bb2756a000c8804bcc3ffdbd955e0e140265582512a0a1d

  • SSDEEP

    96:tYsY6WYW0gAJDLbD71b0F4WOktEpD2AUB/0zHNE2UvIkZ1+AN1qHE:CzCNNJDHHiFbBQD2RB/0zHDkZJ1qk

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://tinyurl.com/2erph6cs

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

wins10ok.duckdns.org:8000

Mutex

3b71ea03e4

Attributes
  • reg_key

    3b71ea03e4

  • splitter

    @!#&^%$

Targets

    • Target

      004.vbs

    • Size

      217KB

    • MD5

      9c28dc451989b0976c1ef4bd80841148

    • SHA1

      a49b80391827b4edc9095ff8667d31967c7d5bf4

    • SHA256

      5e616efa5ea49eaf66bf377e5a6e5ad24d7c0918e0a568f0888e2053a2964de1

    • SHA512

      9141b1c5ee45b322263fc6cb6821760aed5253e4fff29846554428683ecbb494289dcde721bcfea72bb2756a000c8804bcc3ffdbd955e0e140265582512a0a1d

    • SSDEEP

      96:tYsY6WYW0gAJDLbD71b0F4WOktEpD2AUB/0zHNE2UvIkZ1+AN1qHE:CzCNNJDHHiFbBQD2RB/0zHDkZJ1qk

    Score
    10/10
    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks