General
-
Target
li.VBS
-
Size
3KB
-
Sample
220506-rdccgshhh2
-
MD5
cf676af95c4a4001dda9ed858112ecf2
-
SHA1
d65aa6d9aebf5e4a90b8d7d57232d08277dba5b4
-
SHA256
bfe930cc45a201eb53a6e7901e3413aa2c28b57a876f17defae7cad492fb0967
-
SHA512
7e183cebe610f866b030fc599c28a6eaa637fc6ddc6f82988a9bc046cd6d3fedb9eee4e8c271712ebb950e4cb2254f07ce4c03273138d0f8c4303f09613a6b98
Static task
static1
Behavioral task
behavioral1
Sample
li.vbs
Resource
win7-20220414-en
Malware Config
Extracted
njrat
v4.0
May9400
dan9400.duckdns.org:9400
Windows
-
reg_key
Windows
-
splitter
|-F-|
Extracted
bitrat
1.38
bitrat9300.duckdns.org:9300
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Targets
-
-
Target
li.VBS
-
Size
3KB
-
MD5
cf676af95c4a4001dda9ed858112ecf2
-
SHA1
d65aa6d9aebf5e4a90b8d7d57232d08277dba5b4
-
SHA256
bfe930cc45a201eb53a6e7901e3413aa2c28b57a876f17defae7cad492fb0967
-
SHA512
7e183cebe610f866b030fc599c28a6eaa637fc6ddc6f82988a9bc046cd6d3fedb9eee4e8c271712ebb950e4cb2254f07ce4c03273138d0f8c4303f09613a6b98
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Blocklisted process makes network request
-
Drops startup file
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-