Overview

overview

10

Static

static

HAC54X-JAN...PT.vbs

windows7_x64

10

HAC54X-JAN...PT.vbs

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HAC54X-JAN-PAYMENT-RECEIPT.vbs

  • Size

    2KB

  • Sample

    220104-s1xglshegm

  • MD5

    52cc63019d7ac5726b375e14771cfc9e

  • SHA1

    04158c38ec3c912b1b510e1479e927cf91ee3d68

  • SHA256

    e9fc037cd4104162c1a600754a87d9aec3d3b983ad4146954c5ef9ca49752783

  • SHA512

    71fcd939ab72b4a54f6c23b7eab5c45244c4a3f8e7f65edc29af721b0f1aa3484853fc5359d4c1fe2113659fb4b77ade415684100c9f27c5aa19680a8151f959

Score
10/10
bitratneshtanjrathackedevasionpersistencespywaresuricatatrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://transfer.sh/get/pBzucs/HHHHHHHHHHHHHHHH.txt

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Attributes
  • reg_key

    Microsoft.Exe

Extracted

Family

bitrat

Version

1.38

C2

1120bitratjan.duckdns.org:1120

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Targets

    • Target

      HAC54X-JAN-PAYMENT-RECEIPT.vbs

    • Size

      2KB

    • MD5

      52cc63019d7ac5726b375e14771cfc9e

    • SHA1

      04158c38ec3c912b1b510e1479e927cf91ee3d68

    • SHA256

      e9fc037cd4104162c1a600754a87d9aec3d3b983ad4146954c5ef9ca49752783

    • SHA512

      71fcd939ab72b4a54f6c23b7eab5c45244c4a3f8e7f65edc29af721b0f1aa3484853fc5359d4c1fe2113659fb4b77ade415684100c9f27c5aa19680a8151f959

    Score
    10/10
    bitratneshtanjrathackedevasionpersistencespywaresuricatatrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Detect Neshta Payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata

    • Blocklisted process makes network request

    • Modifies Windows Firewall

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation

                    Tasks