General

  • Target

    li.VBS

  • Size

    3KB

  • Sample

    220506-rdccgshhh2

  • MD5

    cf676af95c4a4001dda9ed858112ecf2

  • SHA1

    d65aa6d9aebf5e4a90b8d7d57232d08277dba5b4

  • SHA256

    bfe930cc45a201eb53a6e7901e3413aa2c28b57a876f17defae7cad492fb0967

  • SHA512

    7e183cebe610f866b030fc599c28a6eaa637fc6ddc6f82988a9bc046cd6d3fedb9eee4e8c271712ebb950e4cb2254f07ce4c03273138d0f8c4303f09613a6b98

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

May9400

C2

dan9400.duckdns.org:9400

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Targets

    • Target

      li.VBS

    • Size

      3KB

    • MD5

      cf676af95c4a4001dda9ed858112ecf2

    • SHA1

      d65aa6d9aebf5e4a90b8d7d57232d08277dba5b4

    • SHA256

      bfe930cc45a201eb53a6e7901e3413aa2c28b57a876f17defae7cad492fb0967

    • SHA512

      7e183cebe610f866b030fc599c28a6eaa637fc6ddc6f82988a9bc046cd6d3fedb9eee4e8c271712ebb950e4cb2254f07ce4c03273138d0f8c4303f09613a6b98

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • Blocklisted process makes network request

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops startup file

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks