General

  • Target

    BOLETA DE CITACION FISCALIA GENERAL DE LA NACION RADICADO PROCESO #202496-6623600265-9595982-9662256-PDF.vbs.bin

  • Size

    68KB

  • Sample

    240306-vrge5sdc59

  • MD5

    22fb4ae301cb2b4618847ee53a6d3693

  • SHA1

    a3f3655b77350aa3a5bb91bb25dbc80003a71c4a

  • SHA256

    294a3fdbf3eb9afe824f13ff046eb42b6b683fbcc5e764c4cec481b0cab12b2f

  • SHA512

    cc3f7d300722300c3a009fad42e05c8bf3e045f3a7ab9973bd69a1a7d79a230201a9a6ed75a647900c3b8770bea6abf44c41208c6d3b98befb890ca955372a98

  • SSDEEP

    1536:zcflVRFy4/y4HaUcNb0xq/K4HVWx525y4Twop0Irb5JmKU6VQ303:QBFy4/y4HR+p0IJJmi3

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

junio2023.duckdns.org:3333

Mutex

7952b2688d

Attributes
  • reg_key

    7952b2688d

  • splitter

    @!#&^%$

Targets

    • Target

      BOLETA DE CITACION FISCALIA GENERAL DE LA NACION RADICADO PROCESO #202496-6623600265-9595982-9662256-PDF.vbs.bin

    • Size

      68KB

    • MD5

      22fb4ae301cb2b4618847ee53a6d3693

    • SHA1

      a3f3655b77350aa3a5bb91bb25dbc80003a71c4a

    • SHA256

      294a3fdbf3eb9afe824f13ff046eb42b6b683fbcc5e764c4cec481b0cab12b2f

    • SHA512

      cc3f7d300722300c3a009fad42e05c8bf3e045f3a7ab9973bd69a1a7d79a230201a9a6ed75a647900c3b8770bea6abf44c41208c6d3b98befb890ca955372a98

    • SSDEEP

      1536:zcflVRFy4/y4HaUcNb0xq/K4HVWx525y4Twop0Irb5JmKU6VQ303:QBFy4/y4HR+p0IJJmi3

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks