General

  • Target

    Ad8556545S2125565444l5564.vbs

  • Size

    319KB

  • Sample

    230710-qndsmabf7v

  • MD5

    f8b41b499604e82eb0e6510383a90e34

  • SHA1

    b5699fd8dba7bc35ea5946af35e8ea51a58ea4b6

  • SHA256

    7bb19c68aaf145e837e104b39f5c2b967d52191eb8e71846ac8e697d3c027873

  • SHA512

    efc632012ba97d3d091799fba09058f6bee3fd6780d859931c5dfeeace49003f0ac620950dc247af669701661f94aa27dc65b292c803971324bc1076f2742c78

  • SSDEEP

    192:iTvQpQjcZZZMC/C2zOzYEAPK+aQyleZ4nUlypKr:izQpQjwnj/C2zOzYEAy+Hy4ZeUlypKr

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://cryptersandtools.minhacasa.tv/e/e

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

todosnj4343.duckdns.org:4343

Mutex

91870a25e1f

Attributes
  • reg_key

    91870a25e1f

  • splitter

    @!#&^%$

Targets

    • Target

      Ad8556545S2125565444l5564.vbs

    • Size

      319KB

    • MD5

      f8b41b499604e82eb0e6510383a90e34

    • SHA1

      b5699fd8dba7bc35ea5946af35e8ea51a58ea4b6

    • SHA256

      7bb19c68aaf145e837e104b39f5c2b967d52191eb8e71846ac8e697d3c027873

    • SHA512

      efc632012ba97d3d091799fba09058f6bee3fd6780d859931c5dfeeace49003f0ac620950dc247af669701661f94aa27dc65b292c803971324bc1076f2742c78

    • SSDEEP

      192:iTvQpQjcZZZMC/C2zOzYEAPK+aQyleZ4nUlypKr:izQpQjwnj/C2zOzYEAy+Hy4ZeUlypKr

    Score
    10/10
    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks