Overview

overview

10

Static

static

8

af05a9b5f7...91.exe

windows7_x64

10

af05a9b5f7...91.exe

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-03-2021 10:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe

  • Size

    3.2MB

  • MD5

    d1a586b0b894c54dd7b075e5a9bbae85

  • SHA1

    c77b27b7cc3bc69b867fb2527d8226030665074f

  • SHA256

    af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991

  • SHA512

    0adc5cf09b3d4dc0228d6dfdd46bef1b54cde2f5d533d86ba07c5970ef69e5296bf44b24daff34682a75f47e56d79da13e6927b0c220de64ef6ba4c2d71440c1

Score
10/10
bitrattrojan

Malware Config

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • BitRAT Payload 1 IoCs
  • Drops startup file 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
    "C:\Users\Admin\AppData\Local\Temp\af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Users\Admin\AppData\Local\Temp\af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe
      "C:\Users\Admin\AppData\Local\Temp\af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1364
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
    1⤵
    • Drops startup file
    PID:2180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1108-2-0x0000000000C40000-0x0000000000CBB000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1108-5-0x00000000024B0000-0x000000000263E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1364-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1364-8-0x00000000001C0000-0x00000000001C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1364-7-0x0000000000400000-0x00000000007CD000-memory.dmp
    Filesize

    3.8MB

    Download