njrat | aacbab5ac2400711c5fe4ce86ffe1e89627029325257ba8d81332d3dc2f81691 | Triage

Sharing

General

Target

31032025_1507_attach.pdf-EncriptadoOOKK50.vbs.zip
Size

55KB
Sample

250331-sqffcaswht
MD5

f06cbff96bbca65a05bd85be7e570ca8
SHA1

f2da54a10d89c648b8ea0f8810e98387b85c9b2d
SHA256

aacbab5ac2400711c5fe4ce86ffe1e89627029325257ba8d81332d3dc2f81691
SHA512

24f0dc797cb8183376b04c5661b9c76ab9241c90bd9c4b6296cf073bcf818c2ec18d87ce9ed654829e1e43ad6e536f2a4dfdcba39ffb16cda517747b40d53d10
SSDEEP

96:BxMTmVVBSesl3G9GiGGQGGmGGclGGnG1G9GiGGQGGmGGclGGiGvGlG9GiGGQGGm9:HkmVaesl9D0khzetgZ5iJ

Score

10^/10

njrat nyan cat defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://textbin.net/raw/ezjmofz3s6

exe.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://textbin.net/raw/ezjmofz3s6

exe.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

127.0.0.1:6900

Mutex

fd048b4fe5

Attributes

reg_key
fd048b4fe5
splitter
@!#&^%$

Targets

- Target
  
  attach.pdf/EncriptadoOOKK50.vbs
- Size
  
  8.5MB
- MD5
  
  fe73937416b78fff5aabab8506b32f60
- SHA1
  
  c87bb9695995735f37b46d10db49c0e75deaa26d
- SHA256
  
  a937e59c4e8f66f9c60c5725fa85bbd71e3a8fc32ade529ec7620ed81dd1126e
- SHA512
  
  231cdeed56ff52c687aba8ae417232402d09535256f68c964e4f503d0b9fb806fbc909dc6afb82f492c29887d74df9676f03913600024d5a8856737d5304e9c2
- SSDEEP
  
  768:lm+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m+m++:Q7kwA6P
Score

10^/10

njrat nyan cat defense_evasion discovery execution persistence trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Window

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratnyan catdefense_evasiondiscoveryexecutionpersistencetrojan