General

  • Target

    Archivo_pdf_01452.vbs

  • Size

    160KB

  • Sample

    240129-y3le1sbdhj

  • MD5

    556f33bc86b31d10d6402419d4747da6

  • SHA1

    7a2d9e7371a450ef24b7b3d2c411a642120e00bb

  • SHA256

    6943f56deaff3c7592b3fb12b1bf899244db6c22e4883fc8e16481d8fff1ace9

  • SHA512

    9008001899ab614a3ef1402cc029a87fc9e31e630a78156dcbf439a34819252522e447407c6a9d1487a3b63d9db3e3346461a0e5ca75cca2bc3583e5dd78d151

  • SSDEEP

    3072:1EYIx9r31rZWX13II19LYc0DF1E0NPP98M7cshETkPGlQf+XXjzo:G1x9r31rZWX13II19LYc0DF1E0NPP98w

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://wallpapercave.com/uwp/uwp4241942.png

exe.dropper

https://wallpapercave.com/uwp/uwp4241942.png

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

adminash.duckdns.org:5552

Mutex

7e96608a8e474692

Attributes
  • reg_key

    7e96608a8e474692

  • splitter

    @!#&^%$

Targets

    • Target

      Archivo_pdf_01452.vbs

    • Size

      160KB

    • MD5

      556f33bc86b31d10d6402419d4747da6

    • SHA1

      7a2d9e7371a450ef24b7b3d2c411a642120e00bb

    • SHA256

      6943f56deaff3c7592b3fb12b1bf899244db6c22e4883fc8e16481d8fff1ace9

    • SHA512

      9008001899ab614a3ef1402cc029a87fc9e31e630a78156dcbf439a34819252522e447407c6a9d1487a3b63d9db3e3346461a0e5ca75cca2bc3583e5dd78d151

    • SSDEEP

      3072:1EYIx9r31rZWX13II19LYc0DF1E0NPP98M7cshETkPGlQf+XXjzo:G1x9r31rZWX13II19LYc0DF1E0NPP98w

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks