Overview

overview

10

Static

static

2566ee6169...9d.exe

windows7_x64

10

2566ee6169...9d.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    02-03-2021 20:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2566ee6169d8c8be07d673be7819aa9d.exe

  • Size

    4.9MB

  • MD5

    2566ee6169d8c8be07d673be7819aa9d

  • SHA1

    fc46a50a38738208f67294e3a283782864d0ed04

  • SHA256

    0a3572f48d77e2fc47735dedb2bdc2592ed3b0f60bcc88f30afe184aa545f080

  • SHA512

    a4c674f0bbe58b0229f22ad8fb0133410a2ddbcc04d705da27d014283b677c1ff934ce004dfb6e4ef4ff61e24b75459a55d766d33c5b3e7480ed945360d98888

Score
10/10
bitratxenarmorpasswordpersistencerecoveryspywaretrojanupx

Malware Config

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • BitRAT Payload 3 IoCs
  • XenArmor Suite

    XenArmor is as suite of password recovery tools for various application.

    recoverypasswordxenarmor
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2566ee6169d8c8be07d673be7819aa9d.exe
    "C:\Users\Admin\AppData\Local\Temp\2566ee6169d8c8be07d673be7819aa9d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Users\Admin\AppData\Local\Temp\2566ee6169d8c8be07d673be7819aa9d.EXE
      "C:\Users\Admin\AppData\Local\Temp\2566ee6169d8c8be07d673be7819aa9d.EXE"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Users\Admin\AppData\Local\Temp\2566ee6169d8c8be07d673be7819aa9d.exe
        -a "C:\Users\Admin\AppData\Local\ca4ef769\plg\COvdloDb.json"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Users\Admin\AppData\Local\Temp\2566ee6169d8c8be07d673be7819aa9d.exe
          -a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
          4⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\License.XenArmor
    MD5

    4f3bde9212e17ef18226866d6ac739b6

    SHA1

    732733bec8314beb81437e60876ffa75e72ae6cd

    SHA256

    212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174

    SHA512

    10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\License.XenArmor
    MD5

    bf5da170f7c9a8eae88d1cb1a191ff80

    SHA1

    dd1b991a1b03587a5d1edc94e919a2070e325610

    SHA256

    e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd

    SHA512

    9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Unknown.dll
    MD5

    86114faba7e1ec4a667d2bcb2e23f024

    SHA1

    670df6e1ba1dc6bece046e8b2e573dd36748245e

    SHA256

    568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

    SHA512

    d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\unk.xml
    MD5

    77e6621fd939338d3f19f3dd948ecf43

    SHA1

    53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c

    SHA256

    9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867

    SHA512

    6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

    Download Submit
  • C:\Users\Admin\AppData\Local\ca4ef769\plg\COvdloDb.json
    MD5

    77e6621fd939338d3f19f3dd948ecf43

    SHA1

    53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c

    SHA256

    9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867

    SHA512

    6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Unknown.dll
    MD5

    86114faba7e1ec4a667d2bcb2e23f024

    SHA1

    670df6e1ba1dc6bece046e8b2e573dd36748245e

    SHA256

    568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

    SHA512

    d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

    Download Submit
  • memory/2192-5-0x0000000000689A84-mapping.dmp
    Download
  • memory/2192-6-0x0000000000400000-0x00000000007CD000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/2192-4-0x0000000000400000-0x00000000007CD000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/2772-7-0x0000000000400000-0x00000000008DC000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/2772-9-0x0000000000400000-0x00000000008DC000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/2772-8-0x00000000008D9FE0-mapping.dmp
    Download
  • memory/3836-11-0x00000000006FC1D0-mapping.dmp
    Download
  • memory/3836-15-0x0000000000400000-0x00000000006FE000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/3836-10-0x0000000000400000-0x00000000006FE000-memory.dmp
    Filesize

    3.0MB

    Download