General
-
Target
HAC54X-JAN-PAYMENT-RECEIPT.vbs
-
Size
2KB
-
Sample
220104-s1xglshegm
-
MD5
52cc63019d7ac5726b375e14771cfc9e
-
SHA1
04158c38ec3c912b1b510e1479e927cf91ee3d68
-
SHA256
e9fc037cd4104162c1a600754a87d9aec3d3b983ad4146954c5ef9ca49752783
-
SHA512
71fcd939ab72b4a54f6c23b7eab5c45244c4a3f8e7f65edc29af721b0f1aa3484853fc5359d4c1fe2113659fb4b77ade415684100c9f27c5aa19680a8151f959
Static task
static1
Behavioral task
behavioral1
Sample
HAC54X-JAN-PAYMENT-RECEIPT.vbs
Resource
win7-en-20211208
Malware Config
Extracted
https://transfer.sh/get/pBzucs/HHHHHHHHHHHHHHHH.txt
Extracted
njrat
1.9
HacKed
-
reg_key
Microsoft.Exe
Extracted
bitrat
1.38
1120bitratjan.duckdns.org:1120
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Targets
-
-
Target
HAC54X-JAN-PAYMENT-RECEIPT.vbs
-
Size
2KB
-
MD5
52cc63019d7ac5726b375e14771cfc9e
-
SHA1
04158c38ec3c912b1b510e1479e927cf91ee3d68
-
SHA256
e9fc037cd4104162c1a600754a87d9aec3d3b983ad4146954c5ef9ca49752783
-
SHA512
71fcd939ab72b4a54f6c23b7eab5c45244c4a3f8e7f65edc29af721b0f1aa3484853fc5359d4c1fe2113659fb4b77ade415684100c9f27c5aa19680a8151f959
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Blocklisted process makes network request
-
Modifies Windows Firewall
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation