Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07/05/2022, 17:14
Static task
static1
Behavioral task
behavioral1
Sample
NGBDNGIICPYAAHTTNHEHNQ.ps1
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
NGBDNGIICPYAAHTTNHEHNQ.ps1
-
Size
3.1MB
-
MD5
a3aa56ea0d055b327db1ccca22fc6bfc
-
SHA1
c8e62b37c9b96b7cf32ba5843b6f9242fdef6075
-
SHA256
f1aea885141ff01f8db0c1eeea40190915f79a43d033c2e0f58784d87d540bad
-
SHA512
2fc2e9870f30cae5dd2f63dda167a3c60f611220fa60ab281e7999870dadaba6d9854f4cdc8bf96bb4911a82b45f8ed99d23a76fd841f87f6cc67a1fbe71b724
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
bitrat9300.duckdns.org:9300
Attributes
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
resource yara_rule behavioral2/memory/4788-132-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4788-134-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4788-135-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4788-136-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4788-137-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4788 aspnet_regbrowsers.exe 4788 aspnet_regbrowsers.exe 4788 aspnet_regbrowsers.exe 4788 aspnet_regbrowsers.exe 4788 aspnet_regbrowsers.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4400 set thread context of 4788 4400 powershell.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4400 powershell.exe 4400 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4400 powershell.exe Token: SeShutdownPrivilege 4788 aspnet_regbrowsers.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4788 aspnet_regbrowsers.exe 4788 aspnet_regbrowsers.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4400 wrote to memory of 4788 4400 powershell.exe 84 PID 4400 wrote to memory of 4788 4400 powershell.exe 84 PID 4400 wrote to memory of 4788 4400 powershell.exe 84 PID 4400 wrote to memory of 4788 4400 powershell.exe 84 PID 4400 wrote to memory of 4788 4400 powershell.exe 84 PID 4400 wrote to memory of 4788 4400 powershell.exe 84 PID 4400 wrote to memory of 4788 4400 powershell.exe 84
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\NGBDNGIICPYAAHTTNHEHNQ.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4788
-