General
-
Target
7425996153.zip
-
Size
2KB
-
Sample
220504-z5fg8ahdfn
-
MD5
7423624b7905adfb9dfb0d6848c37025
-
SHA1
1050577e5e0c4d44d494708fd4f396760f6d460a
-
SHA256
2200669f7c1b495f4d7b777e73990d8b9eda12a54d21f8c631506189420893f0
-
SHA512
24ae400ba5852e39258e539526098a1be649f8e72fad94a3cb374bd83676cb7ebf2077f3ac52ea124ed21a1dbbf03742f3df0f1cf17017fdc00bdeee7b74ad47
Static task
static1
Behavioral task
behavioral1
Sample
XNSRUYFKNNERWHVPOJCOXE_COPY.vbs
Resource
win7-20220414-en
Malware Config
Extracted
bitrat
1.38
bitrat9300.duckdns.org:9300
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Targets
-
-
Target
XNSRUYFKNNERWHVPOJCOXE_COPY.VBS
-
Size
3KB
-
MD5
781f4029ef1ea2427f10e4487490b587
-
SHA1
3d043aa3fb1fda09902a8123864ded866f68566a
-
SHA256
b6f3c3dd20c8bc610be775141a62cd8020a7068b497c68e1239a7e60ddd31e0d
-
SHA512
a26468a076effa9bcfd403d57c145df21cfffedd19d4a9e0ad99c92650a690dc9aff0edeb2fa42a28679de79c4d9aa666b65576b6075947e7f6e6f143e719336
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Blocklisted process makes network request
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-