Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-01-2021 06:56

General

  • Target

    NEED DRAFT discounting bank name & price LC USD48942631xls.exe

  • Size

    8.8MB

  • MD5

    27193c475f1439de214dbfe9c7b2c928

  • SHA1

    4015a10b7970ddaf78ef79d3f4562ad6c65f9ff6

  • SHA256

    77993430a884344d7de54e69aa1d4b4e0fc81327f3cf7c8d39b5aba710518fa3

  • SHA512

    afac86ff53797cdaa759b548da33ecdcd026567e4e3006df8b52ab6657514d32133b3c6f06106cba4b7fa1751ad4ae38346567b208cedba2ee56ed533c53f029

Score
10/10

Malware Config

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • BitRAT Payload 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEED DRAFT discounting bank name & price LC USD48942631xls.exe
    "C:\Users\Admin\AppData\Local\Temp\NEED DRAFT discounting bank name & price LC USD48942631xls.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\SysWOW64\dllhost.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1216-3-0x000000000068116D-mapping.dmp
  • memory/1216-2-0x0000000000400000-0x00000000007C1000-memory.dmp
    Filesize

    3.8MB

  • memory/1216-4-0x0000000000400000-0x00000000007C1000-memory.dmp
    Filesize

    3.8MB

  • memory/1216-5-0x00000000000A0000-0x00000000000A1000-memory.dmp
    Filesize

    4KB

  • memory/1216-6-0x00000000000A0000-0x00000000000A1000-memory.dmp
    Filesize

    4KB

  • memory/1216-7-0x00000000000A0000-0x00000000000A1000-memory.dmp
    Filesize

    4KB

  • memory/1216-8-0x00000000000A0000-0x00000000000A1000-memory.dmp
    Filesize

    4KB