Overview

overview

10

Static

static

43e0eed9a4...b1.exe

windows7_x64

10

43e0eed9a4...b1.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    20-12-2021 20:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43e0eed9a47f0eb655af50a9aacd02b1.exe

  • Size

    2.0MB

  • MD5

    43e0eed9a47f0eb655af50a9aacd02b1

  • SHA1

    6dbc00b84c23fc44857bd81cc69fe62430bf9c82

  • SHA256

    b67e1dc98007c0bf5afa9ca1f840de158cb01eedbce373d791b80059de98b011

  • SHA512

    12c160f00b6a50ed84d4e3d90971cad17d67048e291210bef2e8bff8bb8acbfc18f0de26284e1f5289f9612c3efcd1659068f886404cd0e21487a9a109207f75

Score
10/10
bitratsuricatatrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

107.172.44.141:2030

Attributes
  • communication_password

    5f4dcc3b5aa765d61d8327deb882cf99

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43e0eed9a47f0eb655af50a9aacd02b1.exe
    "C:\Users\Admin\AppData\Local\Temp\43e0eed9a47f0eb655af50a9aacd02b1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aDqFLFeDN.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3540
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aDqFLFeDN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3EDA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4044
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:1912
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1244

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp3EDA.tmp
      MD5

      59c56295916f7c9741872d4c23ffd746

      SHA1

      9e20db52e5aa6406ca43446ffc75a17be6466885

      SHA256

      bf4c1dbdcee250afc94b6ad07519f8b73a2854ade6ecacaef45c42d1d6209bd3

      SHA512

      a3252e1b712a0dc91309194a7e0f1560da11940128227e8cdf21d49daa211cb4e21234241e59ecb1c30ebbba7218c3382fc48d35020e17573a0349d069363266

      Download Submit
    • memory/1244-144-0x0000000000400000-0x00000000007E4000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/1244-133-0x00000000007E2730-mapping.dmp
      Download
    • memory/1244-132-0x0000000000400000-0x00000000007E4000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/1244-134-0x0000000000400000-0x00000000007E4000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/2736-119-0x0000000004E30000-0x0000000004E31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2736-122-0x00000000083B0000-0x00000000083B8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2736-123-0x00000000083C0000-0x00000000083C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2736-124-0x00000000084E0000-0x00000000086EE000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/2736-121-0x0000000008440000-0x0000000008441000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2736-120-0x0000000004E00000-0x00000000052FE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/2736-115-0x00000000003F0000-0x00000000003F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2736-118-0x0000000004EA0000-0x0000000004EA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2736-117-0x0000000005300000-0x0000000005301000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-135-0x0000000007840000-0x0000000007841000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-141-0x0000000008100000-0x0000000008101000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-130-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-128-0x0000000004C70000-0x0000000004C71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-127-0x0000000004C70000-0x0000000004C71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-237-0x0000000004F23000-0x0000000004F24000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-136-0x0000000008130000-0x0000000008131000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-137-0x00000000078E0000-0x00000000078E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-138-0x00000000081D0000-0x00000000081D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-139-0x0000000004F20000-0x0000000004F21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-140-0x0000000004F22000-0x0000000004F23000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-131-0x0000000007990000-0x0000000007991000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-142-0x0000000008AF0000-0x0000000008AF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-143-0x0000000008860000-0x0000000008861000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-125-0x0000000000000000-mapping.dmp
      Download
    • memory/3540-145-0x0000000004C70000-0x0000000004C71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-154-0x00000000099B0000-0x00000000099E3000-memory.dmp
      Filesize

      204KB

      Download
    • memory/3540-161-0x0000000009990000-0x0000000009991000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-166-0x0000000009AF0000-0x0000000009AF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-167-0x0000000009CC0000-0x0000000009CC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3540-236-0x000000007E490000-0x000000007E491000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4044-126-0x0000000000000000-mapping.dmp
      Download