njrat | 838e276f65a1dcdf9fd0292c3c7cd8b6c3f6c2ed940adcc663d68dd84a40e2c4 | Triage

Sharing

General

Target

838e276f65a1dcdf9fd0292c3c7cd8b6c3f6c2ed940adcc663d68dd84a40e2c4.vbs
Size

562KB
Sample

240925-chgens1fpb
MD5

5d0e059a9d852fbaa853170862b948f7
SHA1

89c0faf4ba6531b3e9c5550f53280e02492c770d
SHA256

838e276f65a1dcdf9fd0292c3c7cd8b6c3f6c2ed940adcc663d68dd84a40e2c4
SHA512

9ed84239c4277d19e8ea127282cd06d941293278f90bc25a98ddda2281dce8ce17295617e55216af925db77c78457c4ea10a8f9d24e9ecdfc94aa710f40df7a4
SSDEEP

1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFB:4HY

Score

10^/10

njrat nyan cat defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

notificadoresrma.duckdns.org:2054

Mutex

a388ab2ca3be4

Attributes

reg_key
a388ab2ca3be4
splitter
@!#&^%$

Targets

- Target
  
  838e276f65a1dcdf9fd0292c3c7cd8b6c3f6c2ed940adcc663d68dd84a40e2c4.vbs
- Size
  
  562KB
- MD5
  
  5d0e059a9d852fbaa853170862b948f7
- SHA1
  
  89c0faf4ba6531b3e9c5550f53280e02492c770d
- SHA256
  
  838e276f65a1dcdf9fd0292c3c7cd8b6c3f6c2ed940adcc663d68dd84a40e2c4
- SHA512
  
  9ed84239c4277d19e8ea127282cd06d941293278f90bc25a98ddda2281dce8ce17295617e55216af925db77c78457c4ea10a8f9d24e9ecdfc94aa710f40df7a4
- SSDEEP
  
  1536:kmmmmmmmmmmmmmmmmmmyFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFB:4HY
Score

10^/10

execution njrat nyan cat defense_evasion discovery persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

njratnyan catdefense_evasiondiscoveryexecutionpersistencetrojan