Overview

overview

10

Static

static

1

segura.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    segura.vbs

  • Size

    483KB

  • Sample

    241003-3m9j5awgmf

  • MD5

    52917612f2ba8deed79d211c0bd5746f

  • SHA1

    dea790f7518809133c06fee3931e742600613a9b

  • SHA256

    76909f885c6b7247c7176b2cc08830c78b8b831bf7d3f0d9eec38da53e8ae93b

  • SHA512

    d7260e28e3749fb5e5933ce1b451c4284da72a155feefacffd679ec7c68fc5906655443bbf40cacb2af7c682107e3c846300a90a05f1bb3e45c3b72026d0c9dd

  • SSDEEP

    12288:3FIsz/Eb1lVfwxg6kUTGuimfRkZGOm76nrONHcIZgBVU4UupEFgAA0bOpZc+wGc8:3Dmjp7BFr

Score
10/10
njratnyan catdiscoveryexecutiontrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt
exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

02oct.duckdns.org:9001

Mutex

68583eab59

Attributes
  • reg_key

    68583eab59

  • splitter

    @!#&^%$

Targets

    • Target

      segura.vbs

    • Size

      483KB

    • MD5

      52917612f2ba8deed79d211c0bd5746f

    • SHA1

      dea790f7518809133c06fee3931e742600613a9b

    • SHA256

      76909f885c6b7247c7176b2cc08830c78b8b831bf7d3f0d9eec38da53e8ae93b

    • SHA512

      d7260e28e3749fb5e5933ce1b451c4284da72a155feefacffd679ec7c68fc5906655443bbf40cacb2af7c682107e3c846300a90a05f1bb3e45c3b72026d0c9dd

    • SSDEEP

      12288:3FIsz/Eb1lVfwxg6kUTGuimfRkZGOm76nrONHcIZgBVU4UupEFgAA0bOpZc+wGc8:3Dmjp7BFr

    Score
    10/10
    njratnyan catdiscoveryexecutiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks