Saturday, 11 April 2020

VBScript using Coronavirus theme to execute njRAT

Recently we have observed many samples in-the-wild using the coronavirus theme to spread different types of trojans and Remote Administration Tools (RATs).

I came across one such interesting sample today. It is a VBScript which drops and executes njRAT binary embedded in it.

SHA256 hash: 1e18414968c0317cc5fefc5f25de845eba5566fcb236b9e4bdd84f0a82902c30
Filename: Covid19.vbs

The encoded VBScript is as shown below.


This script has funny variable names which makes the code interesting to read as well :)

For example, the below code section:

        If (Covid = 0) Then
            Do Until ebula = Len(winter)
                ebula = ebula + 1
                coldflue = coldflue & ChrW(AscW(Mid(winter, ebula, 1)) - spring + Len(corrona))
            Loop
        End If
        If (Covid = 0) Then
            wscript.sleep(3000)
            Execute(coldflue)
        End If

The coldflue variable contains the decoded VBScript which is shown below.


The Base64 encoded blob in this VBScript decodes to an njRAT binary which is then dropped to the system to the path: C:\Users\sasithar79\AppData\Roaming\Microsoft\Invisible Server Process\1.0.0.0\covid19.exe and executed as shown below.


SHA256 hash of the decoded njRAT binary: 59ebc1d6ef4c1dcd1e69abf55e7ea166b29a3dd208f286699345583b992ff068

Indicators of Compromise

Network IOC

Connects to: covid19.gotdns.ch and port 15152

c0d3inj3cT

No comments:

Post a comment