Overview

overview

10

Static

static

a.vbs

windows7-x64

10

a.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.vbs

  • Size

    226KB

  • Sample

    221205-v7njdsed2w

  • MD5

    9792c84f24e1492cc4d179523fdfcb9d

  • SHA1

    f53e9afdd5ba3302186b6be1ac446c9f081c362f

  • SHA256

    03b0e67b65740307c5f7109587ff3218aa803c0998a23f83f8790fd9a1e0fb47

  • SHA512

    83c42a63b51dfa007012ef6f0b8e2c5e8df31610d2af391f62e7921ce5bc5bdc7eff31f255d8ab96a58563ecb20f0051f61e9482b97ce97ee60e0cfbd0d1518e

  • SSDEEP

    3072:eXFJliLfuE8ozlADw8auustFmbicHkwOt4MYI2x75nehsqgB3F23st+Zn3F/MvVF:sliLfudcHV

Score
10/10
njrat1 dicevasiontrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://4.204.233.44/Dll/Dll.ppam

Extracted

Family

njrat

Version

im523

Botnet

1 DIC

C2

prueba30novok.duckdns.org:8002

Mutex

5a6bb4a00c1be0a58dddea6ebb918e6f

Attributes
  • reg_key

    5a6bb4a00c1be0a58dddea6ebb918e6f

  • splitter

    |'|'|

Targets

    • Target

      a.vbs

    • Size

      226KB

    • MD5

      9792c84f24e1492cc4d179523fdfcb9d

    • SHA1

      f53e9afdd5ba3302186b6be1ac446c9f081c362f

    • SHA256

      03b0e67b65740307c5f7109587ff3218aa803c0998a23f83f8790fd9a1e0fb47

    • SHA512

      83c42a63b51dfa007012ef6f0b8e2c5e8df31610d2af391f62e7921ce5bc5bdc7eff31f255d8ab96a58563ecb20f0051f61e9482b97ce97ee60e0cfbd0d1518e

    • SSDEEP

      3072:eXFJliLfuE8ozlADw8auustFmbicHkwOt4MYI2x75nehsqgB3F23st+Zn3F/MvVF:sliLfudcHV

    Score
    10/10
    njrat1 dicevasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Blocklisted process makes network request

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks