HAC54X-JAN-PAYMENT-RECEIPT.vbs

Target

Size

2KB

Sample

220104-s1xglshegm

Score

10 ^/10

MD5

52cc63019d7ac5726b375e14771cfc9e

SHA1

04158c38ec3c912b1b510e1479e927cf91ee3d68

SHA256

e9fc037cd4104162c1a600754a87d9aec3d3b983ad4146954c5ef9ca49752783

SHA512

71fcd939ab72b4a54f6c23b7eab5c45244c4a3f8e7f65edc29af721b0f1aa3484853fc5359d4c1fe2113659fb4b77ade415684100c9f27c5aa19680a8151f959

Extracted

Language	ps1
Deobfuscated
URLs	https://transfer.sh/get/pBzucs/HHHHHHHHHHHHHHHH.txt ps1.dropper https://transfer.sh/get/pBzucs/HHHHHHHHHHHHHHHH.txt

Extracted

Family	njrat
Version	1.9
Botnet	HacKed
Attributes	reg_key Microsoft.Exe

Extracted

Family	bitrat
Version	1.38
C2	1120bitratjan.duckdns.org:1120 1120bitratjan.duckdns.org:1120
Attributes	communication_password e10adc3949ba59abbe56e057f20f883e tor_process tor

Target

HAC54X-JAN-PAYMENT-RECEIPT.vbs

MD5

52cc63019d7ac5726b375e14771cfc9e

Filesize

2KB

Score

10^/10

SHA1

04158c38ec3c912b1b510e1479e927cf91ee3d68

SHA256

e9fc037cd4104162c1a600754a87d9aec3d3b983ad4146954c5ef9ca49752783

SHA512

71fcd939ab72b4a54f6c23b7eab5c45244c4a3f8e7f65edc29af721b0f1aa3484853fc5359d4c1fe2113659fb4b77ade415684100c9f27c5aa19680a8151f959

Signatures

BitRAT
Description

BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
Tags

trojan bitrat
Detect Neshta Payload
Modifies system executable filetype association
Tags

persistence

TTPs

Modify RegistryChange Default File Association
Neshta
Description

Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
Tags

persistence spyware neshta
njRAT/Bladabindi
Description

Widely used RAT written in .NET.
Tags

trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Description

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Tags

suricata
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Description

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Tags

suricata
Blocklisted process makes network request
Modifies Windows Firewall
Tags

evasion

TTPs

Modify Existing Service
UPX packed file
Description

Detects executables packed with UPX/modified UPX open source packer.
Tags

upx
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

static1

behavioral1

10^/10

behavioral2

bitrat neshta njrat hacked evasion persistence spyware suricata trojan upx

10^/10

Extracted

Extracted

Extracted

Tags

Signatures

BitRAT

Description

Tags

Detect Neshta Payload

Modifies system executable filetype association

Tags

TTPs

Neshta

Description

Tags

njRAT/Bladabindi

Description

Tags

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

Description

Tags

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

Description

Tags

Blocklisted process makes network request

Modifies Windows Firewall

Tags

TTPs

UPX packed file

Description

Tags

Adds Run key to start application

Tags

TTPs

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2