Analysis
-
max time kernel
331s -
max time network
366s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07/05/2022, 21:49
Static task
static1
Behavioral task
behavioral1
Sample
f1aea885141ff01f8db0c1eeea40190915f79a43d033c2e0f58784d87d540bad.ps1
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
f1aea885141ff01f8db0c1eeea40190915f79a43d033c2e0f58784d87d540bad.ps1
-
Size
3.1MB
-
MD5
a3aa56ea0d055b327db1ccca22fc6bfc
-
SHA1
c8e62b37c9b96b7cf32ba5843b6f9242fdef6075
-
SHA256
f1aea885141ff01f8db0c1eeea40190915f79a43d033c2e0f58784d87d540bad
-
SHA512
2fc2e9870f30cae5dd2f63dda167a3c60f611220fa60ab281e7999870dadaba6d9854f4cdc8bf96bb4911a82b45f8ed99d23a76fd841f87f6cc67a1fbe71b724
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
bitrat9300.duckdns.org:9300
Attributes
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
resource yara_rule behavioral2/memory/4172-132-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4172-134-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4172-135-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4172-136-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4172-137-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4172 aspnet_regbrowsers.exe 4172 aspnet_regbrowsers.exe 4172 aspnet_regbrowsers.exe 4172 aspnet_regbrowsers.exe 4172 aspnet_regbrowsers.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5064 set thread context of 4172 5064 powershell.exe 82 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5064 powershell.exe 5064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5064 powershell.exe Token: SeShutdownPrivilege 4172 aspnet_regbrowsers.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4172 aspnet_regbrowsers.exe 4172 aspnet_regbrowsers.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 5064 wrote to memory of 4172 5064 powershell.exe 82 PID 5064 wrote to memory of 4172 5064 powershell.exe 82 PID 5064 wrote to memory of 4172 5064 powershell.exe 82 PID 5064 wrote to memory of 4172 5064 powershell.exe 82 PID 5064 wrote to memory of 4172 5064 powershell.exe 82 PID 5064 wrote to memory of 4172 5064 powershell.exe 82 PID 5064 wrote to memory of 4172 5064 powershell.exe 82
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f1aea885141ff01f8db0c1eeea40190915f79a43d033c2e0f58784d87d540bad.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4172
-