Recently we have observed many samples in-the-wild using the coronavirus theme to spread different types of trojans and Remote Administration Tools (RATs).
I came across one such interesting sample today. It is a VBScript which drops and executes njRAT binary embedded in it.
SHA256 hash: 1e18414968c0317cc5fefc5f25de845eba5566fcb236b9e4bdd84f0a82902c30
Filename: Covid19.vbs
The encoded VBScript is as shown below.
This script has funny variable names which makes the code interesting to read as well :)
For example, the below code section:
If (Covid = 0) Then
Do Until ebula = Len(winter)
ebula = ebula + 1
coldflue = coldflue & ChrW(AscW(Mid(winter, ebula, 1)) - spring + Len(corrona))
Loop
End If
If (Covid = 0) Then
wscript.sleep(3000)
Execute(coldflue)
End If
The coldflue variable contains the decoded VBScript which is shown below.
The Base64 encoded blob in this VBScript decodes to an njRAT binary which is then dropped to the system to the path: C:\Users\sasithar79\AppData\Roaming\Microsoft\Invisible Server Process\1.0.0.0\covid19.exe and executed as shown below.
SHA256 hash of the decoded njRAT binary: 59ebc1d6ef4c1dcd1e69abf55e7ea166b29a3dd208f286699345583b992ff068
Indicators of Compromise
Network IOC
Connects to: covid19.gotdns.ch and port 15152
c0d3inj3cT
I came across one such interesting sample today. It is a VBScript which drops and executes njRAT binary embedded in it.
SHA256 hash: 1e18414968c0317cc5fefc5f25de845eba5566fcb236b9e4bdd84f0a82902c30
Filename: Covid19.vbs
The encoded VBScript is as shown below.
This script has funny variable names which makes the code interesting to read as well :)
For example, the below code section:
If (Covid = 0) Then
Do Until ebula = Len(winter)
ebula = ebula + 1
coldflue = coldflue & ChrW(AscW(Mid(winter, ebula, 1)) - spring + Len(corrona))
Loop
End If
If (Covid = 0) Then
wscript.sleep(3000)
Execute(coldflue)
End If
The coldflue variable contains the decoded VBScript which is shown below.
The Base64 encoded blob in this VBScript decodes to an njRAT binary which is then dropped to the system to the path: C:\Users\sasithar79\AppData\Roaming\Microsoft\Invisible Server Process\1.0.0.0\covid19.exe and executed as shown below.
SHA256 hash of the decoded njRAT binary: 59ebc1d6ef4c1dcd1e69abf55e7ea166b29a3dd208f286699345583b992ff068
Indicators of Compromise
Network IOC
Connects to: covid19.gotdns.ch and port 15152
c0d3inj3cT
No comments:
Post a Comment