General

  • Target

    pum.vbs

  • Size

    584KB

  • Sample

    230606-k56l3sdd9t

  • MD5

    850c00a9a4f884920bf998e784deb5ff

  • SHA1

    dbc0cbdee0323392f7e1e40bdc2af681cdb7730b

  • SHA256

    f4eb6874def6fb59224dac5a6b164d297540d40f1b52f6d33ebf654320865ab3

  • SHA512

    ee8b0996e991ecbe344e74a41232306866506f1d4e7f5bf4d9d712a285bebc782c33dd1226c4d5c3d1c9e7cc12ef511953d694633fdba7d4aa17ea8b2e1566af

  • SSDEEP

    3072:TpG1wfkYFEhNe4VTdRnTT8w4TWQNDJ4alTvPfkTk5G7ZqsmgYcp++og0S7wQzS1y:IwfkYF18ZqK

Score
10/10

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

njnjnjs.duckdns.org:35888

Mutex

6515f0beea

Attributes
  • reg_key

    6515f0beea

  • splitter

    @!#&^%$

Targets

    • Target

      pum.vbs

    • Size

      584KB

    • MD5

      850c00a9a4f884920bf998e784deb5ff

    • SHA1

      dbc0cbdee0323392f7e1e40bdc2af681cdb7730b

    • SHA256

      f4eb6874def6fb59224dac5a6b164d297540d40f1b52f6d33ebf654320865ab3

    • SHA512

      ee8b0996e991ecbe344e74a41232306866506f1d4e7f5bf4d9d712a285bebc782c33dd1226c4d5c3d1c9e7cc12ef511953d694633fdba7d4aa17ea8b2e1566af

    • SSDEEP

      3072:TpG1wfkYFEhNe4VTdRnTT8w4TWQNDJ4alTvPfkTk5G7ZqsmgYcp++og0S7wQzS1y:IwfkYF18ZqK

    Score
    10/10
    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks