General

  • Target

    CARPETADEFOLIOYACTAENTREG.vbs

  • Size

    217KB

  • Sample

    230709-tnvb6aed58

  • MD5

    507c852d53b771937d44ead89ce445db

  • SHA1

    2f17ed49c003a72b62999ce724ff28f4eafaed04

  • SHA256

    7bec8c3246503b9a6af722a1f3316a2237b1403042b1879bf2372c4dd3a54d83

  • SHA512

    94214e31e75cd14893282e6c06b66b66a2329d4bbe5902c143fcd1721004e5a8bc477ac38f8baa093855ddb4a2a9e1cfddbcba1380af9eeadd4c85fe146a4a38

  • SSDEEP

    768:NvusaTjVXQHIqBSp41bHmjlXNuANZ9hRFp3iN7VK632A/1WDs9lhoFecNocWae+u:NxafVXnqBSp41SqkFFp3iTKC2AsDlFNI

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

nj0509.duckdns.org:0509

Mutex

6ce9672712ba4490be

Attributes
  • reg_key

    6ce9672712ba4490be

  • splitter

    @!#&^%$

Targets

    • Target

      CARPETADEFOLIOYACTAENTREG.vbs

    • Size

      217KB

    • MD5

      507c852d53b771937d44ead89ce445db

    • SHA1

      2f17ed49c003a72b62999ce724ff28f4eafaed04

    • SHA256

      7bec8c3246503b9a6af722a1f3316a2237b1403042b1879bf2372c4dd3a54d83

    • SHA512

      94214e31e75cd14893282e6c06b66b66a2329d4bbe5902c143fcd1721004e5a8bc477ac38f8baa093855ddb4a2a9e1cfddbcba1380af9eeadd4c85fe146a4a38

    • SSDEEP

      768:NvusaTjVXQHIqBSp41bHmjlXNuANZ9hRFp3iN7VK632A/1WDs9lhoFecNocWae+u:NxafVXnqBSp41SqkFFp3iTKC2AsDlFNI

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks