Overview

overview

10

Static

static

comparendo...co.exe

windows7_x64

8

comparendo...co.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    comparendopicoycedula365215999runtcomco.exe

  • Size

    2.3MB

  • Sample

    210420-nc34wpgble

  • MD5

    44bc0732e9c6deb1f912ddbd055efac3

  • SHA1

    99f1c521d68f068c735c842504f01f5678ddb157

  • SHA256

    368e9e3d450bae08f20e5ab0937dcd47a03835daabe900ddf87c746fb99a50fb

  • SHA512

    a4a7077d06b2c1059c48abb2ea9ce1c669214e4621e3bf9cfc35b67a4411a22d60d4019588c47e0b9a2b3d2d5e06a427417598cd5183a9a8be0bb33a227d7d2a

Score
10/10
bitratpersistencetrojanupx

Malware Config

Targets

    • Target

      comparendopicoycedula365215999runtcomco.exe

    • Size

      2.3MB

    • MD5

      44bc0732e9c6deb1f912ddbd055efac3

    • SHA1

      99f1c521d68f068c735c842504f01f5678ddb157

    • SHA256

      368e9e3d450bae08f20e5ab0937dcd47a03835daabe900ddf87c746fb99a50fb

    • SHA512

      a4a7077d06b2c1059c48abb2ea9ce1c669214e4621e3bf9cfc35b67a4411a22d60d4019588c47e0b9a2b3d2d5e06a427417598cd5183a9a8be0bb33a227d7d2a

    Score
    10/10
    persistenceupxbitrattrojan

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • BitRAT Payload

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks