General

  • Target

    9141e24b1d0d86eb68a9cc1cde0e845e7d7130b4e53fce9cff229eb214512683.rar

  • Size

    17KB

  • Sample

    240130-neacqsegg6

  • MD5

    7540661c1ec20c127e384c0ec87059b5

  • SHA1

    42c0c16e35e047566d33d327973149b1253ead69

  • SHA256

    9141e24b1d0d86eb68a9cc1cde0e845e7d7130b4e53fce9cff229eb214512683

  • SHA512

    25e5cf3c4fefec796165c671d00f75137e347dc24e6618b000b569cb0d952c8d4359b8280bcdc541ac86acc6973ae1980ae6b459a916c38d46c26819a70efdc9

  • SSDEEP

    384:OwokiBZvjU+bmXSR6QhlmIv1rXpl7SWzIWCTqi/2i4B158Z5W+q1n32:Zo9U+bYSR64QIvFX0WCTqi547+inm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://wallpapercave.com/uwp/uwp4241942.png

exe.dropper

https://wallpapercave.com/uwp/uwp4241942.png

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

adminash.duckdns.org:5552

Mutex

7e96608a8e474692

Attributes
  • reg_key

    7e96608a8e474692

  • splitter

    @!#&^%$

Targets

    • Target

      9141e24b1d0d86eb68a9cc1cde0e845e7d7130b4e53fce9cff229eb214512683.rar

    • Size

      17KB

    • MD5

      7540661c1ec20c127e384c0ec87059b5

    • SHA1

      42c0c16e35e047566d33d327973149b1253ead69

    • SHA256

      9141e24b1d0d86eb68a9cc1cde0e845e7d7130b4e53fce9cff229eb214512683

    • SHA512

      25e5cf3c4fefec796165c671d00f75137e347dc24e6618b000b569cb0d952c8d4359b8280bcdc541ac86acc6973ae1980ae6b459a916c38d46c26819a70efdc9

    • SSDEEP

      384:OwokiBZvjU+bmXSR6QhlmIv1rXpl7SWzIWCTqi/2i4B158Z5W+q1n32:Zo9U+bYSR64QIvFX0WCTqi547+inm

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      Archivo_pdf_01452.vbs

    • Size

      160KB

    • MD5

      556f33bc86b31d10d6402419d4747da6

    • SHA1

      7a2d9e7371a450ef24b7b3d2c411a642120e00bb

    • SHA256

      6943f56deaff3c7592b3fb12b1bf899244db6c22e4883fc8e16481d8fff1ace9

    • SHA512

      9008001899ab614a3ef1402cc029a87fc9e31e630a78156dcbf439a34819252522e447407c6a9d1487a3b63d9db3e3346461a0e5ca75cca2bc3583e5dd78d151

    • SSDEEP

      3072:1EYIx9r31rZWX13II19LYc0DF1E0NPP98M7cshETkPGlQf+XXjzo:G1x9r31rZWX13II19LYc0DF1E0NPP98w

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks