njrat | 56aa1c3927f73a53c0b0def3734891334f311ae882c00754b0a42c9517e91c35

General

Target

estado de cuenta camscanner.vbs
Size

561KB
Sample

221103-yzdwrsefb9
MD5

b31238fa012fd17fe9a54be6a51c3fea
SHA1

c45838fed29fc9366f91add4273fc9d7be1d4331
SHA256

56aa1c3927f73a53c0b0def3734891334f311ae882c00754b0a42c9517e91c35
SHA512

7cdef98f0d6e485c294334dd39990179a277eb90f00297c71e9d4a744865150b8bafab48ab167ca236b9f657ff0a6c14dbb8c43a77d91d5cf947219b60663c31
SSDEEP

96:7HHHHHteV92eYer9Y34N69Db0FgW+0l5o1N3yHyTB11qL0192xNosJU1kNEHnXXG:4nh5wiFzx5o1QS/j14ta1k0X1Pbk

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://firebasestorage.googleapis.com/v0/b/fir-3b506.appspot.com/o/dll%2Fnego.txt?alt=media&token=f068e42c-0fbc-4dcc-9984-985de5d7ed9c

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

marianavilla3008n.duckdns.org:2610

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
1234

Targets

- Target
  
  estado de cuenta camscanner.vbs
- Size
  
  561KB
- MD5
  
  b31238fa012fd17fe9a54be6a51c3fea
- SHA1
  
  c45838fed29fc9366f91add4273fc9d7be1d4331
- SHA256
  
  56aa1c3927f73a53c0b0def3734891334f311ae882c00754b0a42c9517e91c35
- SHA512
  
  7cdef98f0d6e485c294334dd39990179a277eb90f00297c71e9d4a744865150b8bafab48ab167ca236b9f657ff0a6c14dbb8c43a77d91d5cf947219b60663c31
- SSDEEP
  
  96:7HHHHHteV92eYer9Y34N69Db0FgW+0l5o1N3yHyTB11qL0192xNosJU1kNEHnXXG:4nh5wiFzx5o1QS/j14ta1k0X1Pbk
Score

10^/10

njrat lime trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

njRAT/Bladabindi

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2