Overview

overview

10

Static

static

PaymentSwift copy.exe

windows7_x64

10

PaymentSwift copy.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PaymentSwift copy.exe

  • Size

    3.4MB

  • Sample

    210419-dffy2qf11n

  • MD5

    83dd88ad8154ed07ee4bd902eb84eb2c

  • SHA1

    d6c01ef92834da8a376b555eb9f6da469d3515fc

  • SHA256

    b16c4aa0a8ec4b2fc3c6f5323a3bb35f9c4d26c97aeaff4aa874507ffb3339e3

  • SHA512

    4064cce0cdc088b0e9611182e9a4e7d02fc01531498743458024ed40de78af6e9b827a14284627b9c33111e8bf5347e6378426b27a1c989fd8c90f294bdb1af9

Score
10/10
bitratpersistencetrojan

Malware Config

Targets

    • Target

      PaymentSwift copy.exe

    • Size

      3.4MB

    • MD5

      83dd88ad8154ed07ee4bd902eb84eb2c

    • SHA1

      d6c01ef92834da8a376b555eb9f6da469d3515fc

    • SHA256

      b16c4aa0a8ec4b2fc3c6f5323a3bb35f9c4d26c97aeaff4aa874507ffb3339e3

    • SHA512

      4064cce0cdc088b0e9611182e9a4e7d02fc01531498743458024ed40de78af6e9b827a14284627b9c33111e8bf5347e6378426b27a1c989fd8c90f294bdb1af9

    Score
    10/10
    bitratpersistencetrojan

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • BitRAT Payload

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks