HAC54X-JAN-PAYMENT-RECEIPT.vbs

General
Target

HAC54X-JAN-PAYMENT-RECEIPT.vbs

Size

2KB

Sample

220104-s1xglshegm

Score
10 /10
MD5

52cc63019d7ac5726b375e14771cfc9e

SHA1

04158c38ec3c912b1b510e1479e927cf91ee3d68

SHA256

e9fc037cd4104162c1a600754a87d9aec3d3b983ad4146954c5ef9ca49752783

SHA512

71fcd939ab72b4a54f6c23b7eab5c45244c4a3f8e7f65edc29af721b0f1aa3484853fc5359d4c1fe2113659fb4b77ade415684100c9f27c5aa19680a8151f959

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

https://transfer.sh/get/pBzucs/HHHHHHHHHHHHHHHH.txt

Extracted

Family njrat
Version 1.9
Botnet HacKed
Attributes
reg_key
Microsoft.Exe

Extracted

Family bitrat
Version 1.38
C2

1120bitratjan.duckdns.org:1120

Attributes
communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor
Targets
Target

HAC54X-JAN-PAYMENT-RECEIPT.vbs

MD5

52cc63019d7ac5726b375e14771cfc9e

Filesize

2KB

Score
10/10
SHA1

04158c38ec3c912b1b510e1479e927cf91ee3d68

SHA256

e9fc037cd4104162c1a600754a87d9aec3d3b983ad4146954c5ef9ca49752783

SHA512

71fcd939ab72b4a54f6c23b7eab5c45244c4a3f8e7f65edc29af721b0f1aa3484853fc5359d4c1fe2113659fb4b77ade415684100c9f27c5aa19680a8151f959

Tags

Signatures

  • BitRAT

    Description

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    Tags

  • Detect Neshta Payload

  • Modifies system executable filetype association

    Tags

    TTPs

    Modify RegistryChange Default File Association
  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    Tags

  • njRAT/Bladabindi

    Description

    Widely used RAT written in .NET.

    Tags

  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Description

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    Tags

  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    Description

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    Tags

  • Blocklisted process makes network request

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10