General

  • Target

    31032025_1507_attach.pdf-EncriptadoOOKK50.vbs.zip

  • Size

    55KB

  • Sample

    250331-shfq5svmv2

  • MD5

    f06cbff96bbca65a05bd85be7e570ca8

  • SHA1

    f2da54a10d89c648b8ea0f8810e98387b85c9b2d

  • SHA256

    aacbab5ac2400711c5fe4ce86ffe1e89627029325257ba8d81332d3dc2f81691

  • SHA512

    24f0dc797cb8183376b04c5661b9c76ab9241c90bd9c4b6296cf073bcf818c2ec18d87ce9ed654829e1e43ad6e536f2a4dfdcba39ffb16cda517747b40d53d10

  • SSDEEP

    96:BxMTmVVBSesl3G9GiGGQGGmGGclGGnG1G9GiGGQGGmGGclGGiGvGlG9GiGGQGGm9:HkmVaesl9D0khzetgZ5iJ

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://textbin.net/raw/ezjmofz3s6

exe.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://textbin.net/raw/ezjmofz3s6

exe.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

127.0.0.1:6900

Mutex

fd048b4fe5

Attributes
  • reg_key

    fd048b4fe5

  • splitter

    @!#&^%$

Targets

    • Target

      attach.pdf/EncriptadoOOKK50.vbs

    • Size

      8.5MB

    • MD5

      fe73937416b78fff5aabab8506b32f60

    • SHA1

      c87bb9695995735f37b46d10db49c0e75deaa26d

    • SHA256

      a937e59c4e8f66f9c60c5725fa85bbd71e3a8fc32ade529ec7620ed81dd1126e

    • SHA512

      231cdeed56ff52c687aba8ae417232402d09535256f68c964e4f503d0b9fb806fbc909dc6afb82f492c29887d74df9676f03913600024d5a8856737d5304e9c2

    • SSDEEP

      768:lm+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m++:Q7kwA6P

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks