General

  • Target

    817fba874f30c7aa12e95ac1c7d4956679ed1eedec1976103036c87d6725cbfb.vbs

  • Size

    1KB

  • Sample

    240301-fwysnade2s

  • MD5

    16045e27c2555159200589060b0ee82a

  • SHA1

    e60fbff5f9387c47fa3cdf9adfb80709f16537c5

  • SHA256

    817fba874f30c7aa12e95ac1c7d4956679ed1eedec1976103036c87d6725cbfb

  • SHA512

    a2bad1a4d651671e62d6d713aba5ad31c838d9388dc9f2abd39c24bcd5e999b2ca8f52d6b28b1523c87912df0d4cb12d1c0b12b6410ce9f617df56bee1f3a43c

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

njnjnjs.duckdns.org:35888

Mutex

6515f0beea

Attributes
  • reg_key

    6515f0beea

  • splitter

    @!#&^%$

Targets

    • Target

      817fba874f30c7aa12e95ac1c7d4956679ed1eedec1976103036c87d6725cbfb.vbs

    • Size

      1KB

    • MD5

      16045e27c2555159200589060b0ee82a

    • SHA1

      e60fbff5f9387c47fa3cdf9adfb80709f16537c5

    • SHA256

      817fba874f30c7aa12e95ac1c7d4956679ed1eedec1976103036c87d6725cbfb

    • SHA512

      a2bad1a4d651671e62d6d713aba5ad31c838d9388dc9f2abd39c24bcd5e999b2ca8f52d6b28b1523c87912df0d4cb12d1c0b12b6410ce9f617df56bee1f3a43c

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks