General
-
Target
YBCZJVVOFILQ_PAYMENT_COPY.iso
-
Size
64KB
-
Sample
220506-tmxqwsabb7
-
MD5
f24c997bf751e2a1f045e39f96349a2b
-
SHA1
2d5ac6763e60c247bbc8262855d46c73eb8a2100
-
SHA256
372cca63cca8b7b600cfafc78a89f63057889b935e77ab66703fc951b2bd29e4
-
SHA512
dcbb177e8e1a52556612407c20808dedd5bb61cf84a6771f17cda7924e014641c7c5676bf8a2f7823957c7a6e0d0390693c92d4fc65e42924c11380f6305adb6
Static task
static1
Behavioral task
behavioral1
Sample
YBCZJVVOFILQ_PAYMENT_COPY.vbs
Resource
win7-20220414-en
Malware Config
Extracted
njrat
v4.0
May9400
dan9400.duckdns.org:9400
Windows
-
reg_key
Windows
-
splitter
|-F-|
Extracted
bitrat
1.38
bitrat9300.duckdns.org:9300
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Targets
-
-
Target
YBCZJVVOFILQ_PAYMENT_COPY.VBS
-
Size
3KB
-
MD5
a1031bbb3ba801bdfe99429e0fcb1c18
-
SHA1
adfed282b2b153d57644240a6e4092be27dfdde8
-
SHA256
d1d697329508e29b711aa1c83aaa4bc900c00059ccb71cef935e0bf6dae3f5e3
-
SHA512
f522410685031714d0320f5f746e5710c348562402d28a1142d87ba0021e3fb0d2dfef09c3d45d91ef6f17fe25dd3f39c73f14ae6099ca66398d91df125f3961
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Blocklisted process makes network request
-
Drops startup file
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-