General

  • Target

    YBCZJVVOFILQ_PAYMENT_COPY.iso

  • Size

    64KB

  • Sample

    220506-tmxqwsabb7

  • MD5

    f24c997bf751e2a1f045e39f96349a2b

  • SHA1

    2d5ac6763e60c247bbc8262855d46c73eb8a2100

  • SHA256

    372cca63cca8b7b600cfafc78a89f63057889b935e77ab66703fc951b2bd29e4

  • SHA512

    dcbb177e8e1a52556612407c20808dedd5bb61cf84a6771f17cda7924e014641c7c5676bf8a2f7823957c7a6e0d0390693c92d4fc65e42924c11380f6305adb6

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

May9400

C2

dan9400.duckdns.org:9400

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Targets

    • Target

      YBCZJVVOFILQ_PAYMENT_COPY.VBS

    • Size

      3KB

    • MD5

      a1031bbb3ba801bdfe99429e0fcb1c18

    • SHA1

      adfed282b2b153d57644240a6e4092be27dfdde8

    • SHA256

      d1d697329508e29b711aa1c83aaa4bc900c00059ccb71cef935e0bf6dae3f5e3

    • SHA512

      f522410685031714d0320f5f746e5710c348562402d28a1142d87ba0021e3fb0d2dfef09c3d45d91ef6f17fe25dd3f39c73f14ae6099ca66398d91df125f3961

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • Blocklisted process makes network request

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops startup file

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks