General
-
Target
AOVAWGERJ_PAYMENT_COPY.VBS
-
Size
3KB
-
Sample
220506-tjgv9sabb2
-
MD5
3c171f20c060299a53257a677ec75f25
-
SHA1
d0c3bfca8839cdd3808ecdbfa76bb64c61d9255d
-
SHA256
0a53a2620f3e4c2b0e096df9734ef0064480ac20941509c2a90a44029a057ee2
-
SHA512
70c67184449afde7e8452f3fa9e023d3561375ef30e05f63eb5a3c2d90fe22470ae3eda50793e80c84db935468bce7c0779f1308ef767b0df140c74120729422
Static task
static1
Behavioral task
behavioral1
Sample
AOVAWGERJ_PAYMENT_COPY.vbs
Resource
win7-20220414-en
Malware Config
Extracted
njrat
v4.0
May9400
dan9400.duckdns.org:9400
Windows
-
reg_key
Windows
-
splitter
|-F-|
Extracted
bitrat
1.38
bitrat9300.duckdns.org:9300
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Targets
-
-
Target
AOVAWGERJ_PAYMENT_COPY.VBS
-
Size
3KB
-
MD5
3c171f20c060299a53257a677ec75f25
-
SHA1
d0c3bfca8839cdd3808ecdbfa76bb64c61d9255d
-
SHA256
0a53a2620f3e4c2b0e096df9734ef0064480ac20941509c2a90a44029a057ee2
-
SHA512
70c67184449afde7e8452f3fa9e023d3561375ef30e05f63eb5a3c2d90fe22470ae3eda50793e80c84db935468bce7c0779f1308ef767b0df140c74120729422
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Blocklisted process makes network request
-
Drops startup file
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-