General
-
Target
Cerere de oferta Startgroup S.R.L.22.12.2021.xlsm
-
Size
47KB
-
Sample
211223-kjqnqsabal
-
MD5
7fd22cdd775e68e4a9c5936f88e66005
-
SHA1
43f5299aba24a6237b6fa23719f5df18364bb102
-
SHA256
4e6e3f83a3a2be86a9e2ce6ee9397ef59d30fdc6d2661ffbc50e0053cc670a4b
-
SHA512
0fda180f318156fcf383cc3f560d2daff17a491ce98c4f1a77795537f38564d4e126748b059c020109f79050358dd9c69650644b01c18c341cc2326ffbe86f3e
Malware Config
Extracted
http://ddl8.data.hu/get/283078/13125554/jogb.exe
Targets
-
-
Target
Cerere de oferta Startgroup S.R.L.22.12.2021.xlsm
-
Size
47KB
-
MD5
7fd22cdd775e68e4a9c5936f88e66005
-
SHA1
43f5299aba24a6237b6fa23719f5df18364bb102
-
SHA256
4e6e3f83a3a2be86a9e2ce6ee9397ef59d30fdc6d2661ffbc50e0053cc670a4b
-
SHA512
0fda180f318156fcf383cc3f560d2daff17a491ce98c4f1a77795537f38564d4e126748b059c020109f79050358dd9c69650644b01c18c341cc2326ffbe86f3e
Score10/10-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
BitRAT Payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-