njrat | bb1605a50c8ecfeaf69f4ec3f40a7b54ed722dbb2f9286adce5e2b78d5fc85c7 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

DCF20D074648CA42F102EE093E61B8A4.vbs
Size

495KB
Sample

230628-zzkjzsbb72
MD5

dcf20d074648ca42f102ee093e61b8a4
SHA1

541f17b51a863023edd6ad7d6e271bd3f1d36687
SHA256

bb1605a50c8ecfeaf69f4ec3f40a7b54ed722dbb2f9286adce5e2b78d5fc85c7
SHA512

415c55479cdecaeac220dd5128d44d53d7530450f32bbfaa3f9d86e8257a62078a545a0d6cc8fed38342b77d7c86775577dce7a4f79e1e2b0c68af2c1d9b9163
SSDEEP

3072:KRr+dxPr+9gr+Ejr+gMSlctO+Jxq3udcXGCunzhXvek5n5p5XNsn1+7HLDVZcMxz:blACuzhXvePn+AMxzak5

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

njnjnjs.duckdns.org:35888

Mutex

6515f0beea

Attributes

reg_key
6515f0beea
splitter
@!#&^%$

Targets

- Target
  
  DCF20D074648CA42F102EE093E61B8A4.vbs
- Size
  
  495KB
- MD5
  
  dcf20d074648ca42f102ee093e61b8a4
- SHA1
  
  541f17b51a863023edd6ad7d6e271bd3f1d36687
- SHA256
  
  bb1605a50c8ecfeaf69f4ec3f40a7b54ed722dbb2f9286adce5e2b78d5fc85c7
- SHA512
  
  415c55479cdecaeac220dd5128d44d53d7530450f32bbfaa3f9d86e8257a62078a545a0d6cc8fed38342b77d7c86775577dce7a4f79e1e2b0c68af2c1d9b9163
- SSDEEP
  
  3072:KRr+dxPr+9gr+Ejr+gMSlctO+Jxq3udcXGCunzhXvek5n5p5XNsn1+7HLDVZcMxz:blACuzhXvePn+AMxzak5
Score

10^/10

njrat nyan cat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

njratnyan cattrojan