General
-
Target
Serverr.ps1
-
Size
3.5MB
-
Sample
220506-pbfwsacedk
-
MD5
4b0434d0d23bc7b3488fce647bf28a68
-
SHA1
45db2a32dd53fb4c08b781e137f62a6ef1d23412
-
SHA256
bdbc7e20f13cee3e9ff2e82c41bd6f8740fec1ade4a0686b50c6eafce574341c
-
SHA512
71ec454b8493e4d21ef3d891c9dfbfb587998d1e41cf0c8bd1eed323086b42c9f7ab4998c3d03e88f465571685ee69fecc3502695aba83f42dded95056456bb0
Static task
static1
Behavioral task
behavioral1
Sample
Serverr.ps1
Resource
win7-20220414-en
Malware Config
Extracted
njrat
v4.0
May9400
dan9400.duckdns.org:9400
Windows
-
reg_key
Windows
-
splitter
|-F-|
Extracted
bitrat
1.38
bitrat9300.duckdns.org:9300
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Targets
-
-
Target
Serverr.ps1
-
Size
3.5MB
-
MD5
4b0434d0d23bc7b3488fce647bf28a68
-
SHA1
45db2a32dd53fb4c08b781e137f62a6ef1d23412
-
SHA256
bdbc7e20f13cee3e9ff2e82c41bd6f8740fec1ade4a0686b50c6eafce574341c
-
SHA512
71ec454b8493e4d21ef3d891c9dfbfb587998d1e41cf0c8bd1eed323086b42c9f7ab4998c3d03e88f465571685ee69fecc3502695aba83f42dded95056456bb0
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Drops startup file
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-