HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET
Tags
Common Information
| Type | Value |
|---|---|
| UUID | c828f9ac-f3c4-4cdb-be44-1cc4154d4b03 |
| Fingerprint | c50023129be42f6 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Jan. 23, 2022, midnight |
| Added to db | Sept. 26, 2022, 9:34 a.m. |
| Last updated | Nov. 17, 2024, 7:44 p.m. |
| Headline | HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET |
| Title | HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET |
| Detected Hints/Tags/Attributes | 58/2/26 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 93 | bazaar.abuse.ch |
|
| Details | Domain | 1 | hbbb.run |
|
| Details | Domain | 7 | system.io.directory |
|
| Details | Domain | 285 | microsoft.net |
|
| Details | Domain | 247 | www.virusbulletin.com |
|
| Details | Domain | 4127 | github.com |
|
| Details | Domain | 1 | malware.win |
|
| Details | File | 40 | aspnet_compiler.exe |
|
| Details | File | 1 | ps1_b.txt |
|
| Details | File | 1 | s_b.txt |
|
| Details | File | 1 | unmanagedtype.vb |
|
| Details | File | 44 | payload.bin |
|
| Details | Github username | 1 | ditekshen |
|
| Details | md5 | 1 | e47b1f77a31d1d91625997da66bb1a94 |
|
| Details | md5 | 1 | 71955ccbbcbb24efa9f89785e7cce225 |
|
| Details | sha1 | 1 | e29f96b7032e2e8447cd5ae6f8aaf0ac85db8cb9 |
|
| Details | sha256 | 1 | f30cba9be2a7cf581939e7e7b958d5e0554265a685b3473947bf2c26679995d3 |
|
| Details | sha256 | 1 | 183809b333c8afcea627e845f08f56131ca63fe592498685d93d305207e6c07c |
|
| Details | IPv4 | 1 | 135.148.74.241 |
|
| Details | IPv4 | 109 | 1.0.0.0 |
|
| Details | Url | 1 | https://bazaar.abuse.ch/sample/f30cba9be2a7cf581939e7e7b958d5e0554265a685b3473947bf2c26679995d3 |
|
| Details | Url | 1 | http://135.148.74.241/ps1_b.txt |
|
| Details | Url | 1 | http://135.148.74.241/s_b.txt |
|
| Details | Url | 2 | https://www.virusbulletin.com/virusbulletin/2015/06/using-net-guids-help-hunt-malware |
|
| Details | Url | 1 | https://github.com/ditekshen/detection/blob/master/yara/malware.yar |
|
| Details | Yara rule | 1 | rule MALWARE_Win_BitRAT {
meta:
author = "ditekSHen"
description = "Detects BitRAT RAT"
clamav_sig = "MALWARE.Win.Trojan.BitRAT"
strings:
$s1 = "\\plg\\" ascii fullword
$s2 = "klgoff_del" ascii fullword
$s3 = "files_delete"
$s4 = "files_zip_start" ascii fullword
$s5 = "files_exec" ascii fullword
$s6 = "drives_get" ascii fullword
$s7 = "srv_list" ascii fullword
$s8 = "con_list" ascii fullword
$s9 = "ddos_stop" ascii fullword
$s10 = "socks5_srv_start" ascii fullword
$s11 = "/getUpdates?offset=" ascii fullword
$s12 = "Action: /dlex" ascii fullword
$s13 = "Action: /clsbrw" ascii fullword
$s14 = "Action: /usb" ascii fullword
$s15 = "/klg" ascii fullword
$s16 = "klg|" ascii fullword
$s17 = "Slowloris" ascii fullword
$s18 = "Bot ID:"
$t1 = "<sz>N/A</sz>" ascii fullword
$t2 = "<silent>N/A</silent>" ascii fullword
condition:
uint16(0) == 0x5a4d and (7 of ($s*) or (4 of ($s*) and 1 of ($t*)))
} |