General

  • Target

    CamScanner#0612202415110000000000000000.uu

  • Size

    3KB

  • Sample

    241210-tlt9davldr

  • MD5

    dd659fb5279839abe2bab48610175c54

  • SHA1

    79294ffe6bf042f4f0254626b3c8b70dbf260ffb

  • SHA256

    928c6c39a20bc722a42bfe3292ad99447b3e8b78714fd52d08a160029afc70ec

  • SHA512

    d7ce003fd54b08469094206a7c97e4c07985d2a7073e708fcd5d098303b1aeb68deac4f77e894d230699dda7ab94736ef839fa8eec2b68ad1d69ef047fbb7f57

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/pHPmwBp6

exe.dropper

https://pastebin.com/raw/pHPmwBp6

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

carlitosmoreno1794.duckdns.org:2019

Mutex

bde06c84e1de4b23b

Attributes
  • reg_key

    bde06c84e1de4b23b

  • splitter

    @!#&^%$

Targets

    • Target

      CamScanner#0612202415110000000000000000.uu

    • Size

      3KB

    • MD5

      dd659fb5279839abe2bab48610175c54

    • SHA1

      79294ffe6bf042f4f0254626b3c8b70dbf260ffb

    • SHA256

      928c6c39a20bc722a42bfe3292ad99447b3e8b78714fd52d08a160029afc70ec

    • SHA512

      d7ce003fd54b08469094206a7c97e4c07985d2a7073e708fcd5d098303b1aeb68deac4f77e894d230699dda7ab94736ef839fa8eec2b68ad1d69ef047fbb7f57

    Score
    3/10
    • Target

      CamScanner#0612202415110000000000000000.vbs

    • Size

      4.4MB

    • MD5

      6c76b8c6d878af510014be1ca2f8b9d1

    • SHA1

      9ed0189834cc5cc28d13f60232734877a36af5c4

    • SHA256

      5214fe5938d6670d53b13d226af4b57c7aa6ec5e4a62c86e19eb8cffc2c23087

    • SHA512

      d0e2476fd7256ec719236e33cf82bd079458272ad335c30bc092a7bda6527da24d4b04a82cbd477d53d28962d97c3097891a47aedb84b4dee4712954b256e7a5

    • SSDEEP

      384:ByWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWyOyWp:DbCOFR

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks