Overview

overview

10

Static

static

pob.exe

windows7_x64

pob.exe

windows10_x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    pob.exe

  • Size

    66KB

  • Sample

    210227-hnmlqb2h1a

  • MD5

    083e61fc5f310a663f5253286735d36e

  • SHA1

    a4f6ae6c3eaa32d21831af0d4001d44c0c2f7083

  • SHA256

    2a2ce0aca043486b9b1995b262cd4611b1376fc4b18440d7d4b3ee8cfff2c76a

  • SHA512

    32ea2de1f5e195efb1aad00b9812eda6ee962bd0e3146d813b630e614a6c8d4b363ee1eaba3b610d63852a1b4e6cf7036bc7ac99be959cf215d61389f8caf82f

Score
10/10
bitratbootkitransomwaretrojan

Malware Config

Targets

    • Target

      pob.exe

    • Size

      66KB

    • MD5

      083e61fc5f310a663f5253286735d36e

    • SHA1

      a4f6ae6c3eaa32d21831af0d4001d44c0c2f7083

    • SHA256

      2a2ce0aca043486b9b1995b262cd4611b1376fc4b18440d7d4b3ee8cfff2c76a

    • SHA512

      32ea2de1f5e195efb1aad00b9812eda6ee962bd0e3146d813b630e614a6c8d4b363ee1eaba3b610d63852a1b4e6cf7036bc7ac99be959cf215d61389f8caf82f

    Score
    10/10
    bitrattrojanbootkitransomware

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • BitRAT Payload

    • Beds Protector Packer

      Detects Beds Protector packer used to load .NET malware.

    • Modifies WinLogon to allow AutoLogon

      Enables rebooting of the machine without requiring login credentials.

      ransomwarebootkit

    • Drops startup file

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks