njrat | 48bb80b78ab20e88487589c0d691bd65a8d40f785d2d18d54c06bbedd09ca559 | Triage

Sharing

General

Target

48bb80b78ab20e88487589c0d691bd65a8d40f785d2d18d54c06bbedd09ca559.vbs
Size

15.4MB
Sample

241004-bs432s1bkb
MD5

3ac2f2a9e0ea75fabc9cd17a6cfad0c5
SHA1

918caec409f9a49bc055bbfb02d458c131724c83
SHA256

48bb80b78ab20e88487589c0d691bd65a8d40f785d2d18d54c06bbedd09ca559
SHA512

be4ce3a8489eb2ac441a9ea7c61f93f1b64a4e8435f8bcfbad0c0d83fcc1b7d6e6b5c3b0309616b7ed2bcbd173ce5427e257e14dc84e491766ffbc51af3a1327
SSDEEP

192:9HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHM:qXmHsr0+uF8

Score

10^/10

njrat nyan cat discovery execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://pastebin.com/raw/V9y5Q5vv

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

michael2009nj.duckdns.org:2828

Mutex

bf4e531b630e4de6ab2

Attributes

reg_key
bf4e531b630e4de6ab2
splitter
@!#&^%$

Targets

- Target
  
  48bb80b78ab20e88487589c0d691bd65a8d40f785d2d18d54c06bbedd09ca559.vbs
- Size
  
  15.4MB
- MD5
  
  3ac2f2a9e0ea75fabc9cd17a6cfad0c5
- SHA1
  
  918caec409f9a49bc055bbfb02d458c131724c83
- SHA256
  
  48bb80b78ab20e88487589c0d691bd65a8d40f785d2d18d54c06bbedd09ca559
- SHA512
  
  be4ce3a8489eb2ac441a9ea7c61f93f1b64a4e8435f8bcfbad0c0d83fcc1b7d6e6b5c3b0309616b7ed2bcbd173ce5427e257e14dc84e491766ffbc51af3a1327
- SSDEEP
  
  192:9HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHM:qXmHsr0+uF8
Score

10^/10

execution njrat nyan cat discovery trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

njratnyan catdiscoveryexecutiontrojan