srv.ps1

General
Target

srv.ps1

Filesize

3MB

Completed

19-01-2022 11:29

Score
10/10
MD5

bdfc70e3237617d7a4509e9a857234eb

SHA1

7b1e093f630ded929fefe02c554d09a1a9d13c54

SHA256

d96de808e92e4d42e93180be95ec52fbe490c506cd839365e71cb7168df6bfbd

Malware Config

Extracted

Family bitrat
Version 1.38
C2

learnatallcost2.ddns.net:9050

Attributes
communication_password
4a3e00961a08879c34f91ca0070ea2f5
tor_process
tor
Signatures 8

Filter: none

  • BitRAT

    Description

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2072-140-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral2/memory/2072-142-0x0000000000400000-0x00000000007E4000-memory.dmpupx
    behavioral2/memory/2072-143-0x0000000000400000-0x00000000007E4000-memory.dmpupx
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    aspnet_compiler.exe

    Reported IOCs

    pidprocess
    2072aspnet_compiler.exe
    2072aspnet_compiler.exe
    2072aspnet_compiler.exe
    2072aspnet_compiler.exe
    2072aspnet_compiler.exe
  • Suspicious use of SetThreadContext
    powershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1216 set thread context of 20721216powershell.exeaspnet_compiler.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.exe

    Reported IOCs

    pidprocess
    1216powershell.exe
    1216powershell.exe
    1216powershell.exe
    1216powershell.exe
    1216powershell.exe
    1216powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exeaspnet_compiler.exesvchost.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1216powershell.exe
    Token: SeShutdownPrivilege2072aspnet_compiler.exe
    Token: SeSystemtimePrivilege3544svchost.exe
    Token: SeSystemtimePrivilege3544svchost.exe
    Token: SeIncBasePriorityPrivilege3544svchost.exe
  • Suspicious use of SetWindowsHookEx
    aspnet_compiler.exe

    Reported IOCs

    pidprocess
    2072aspnet_compiler.exe
    2072aspnet_compiler.exe
  • Suspicious use of WriteProcessMemory
    powershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1216 wrote to memory of 2241216powershell.exeaspnet_compiler.exe
    PID 1216 wrote to memory of 2241216powershell.exeaspnet_compiler.exe
    PID 1216 wrote to memory of 2241216powershell.exeaspnet_compiler.exe
    PID 1216 wrote to memory of 17401216powershell.exeaspnet_compiler.exe
    PID 1216 wrote to memory of 17401216powershell.exeaspnet_compiler.exe
    PID 1216 wrote to memory of 17401216powershell.exeaspnet_compiler.exe
    PID 1216 wrote to memory of 20721216powershell.exeaspnet_compiler.exe
    PID 1216 wrote to memory of 20721216powershell.exeaspnet_compiler.exe
    PID 1216 wrote to memory of 20721216powershell.exeaspnet_compiler.exe
    PID 1216 wrote to memory of 20721216powershell.exeaspnet_compiler.exe
    PID 1216 wrote to memory of 20721216powershell.exeaspnet_compiler.exe
    PID 1216 wrote to memory of 20721216powershell.exeaspnet_compiler.exe
    PID 1216 wrote to memory of 20721216powershell.exeaspnet_compiler.exe
Processes 5
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\srv.ps1
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      PID:224
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      PID:1740
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2072
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    Suspicious use of AdjustPrivilegeToken
    PID:3544
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1216-134-0x000002021D170000-0x000002021D192000-memory.dmp

                          • memory/1216-135-0x00000202357C0000-0x00000202357C2000-memory.dmp

                          • memory/1216-136-0x00000202357C3000-0x00000202357C5000-memory.dmp

                          • memory/1216-139-0x00000202357C6000-0x00000202357C8000-memory.dmp

                          • memory/2072-140-0x0000000000400000-0x00000000007E4000-memory.dmp

                          • memory/2072-142-0x0000000000400000-0x00000000007E4000-memory.dmp

                          • memory/2072-143-0x0000000000400000-0x00000000007E4000-memory.dmp