General
-
Target
Cerere de oferta Startgroup S.R.L.22-12-2021.xlsm
-
Size
47KB
-
Sample
211223-kjqnqshdb4
-
MD5
5376f38c61fd06af4227f763fb9a9b91
-
SHA1
23c4a46e61879a1c4bf2fc2aff5d82f6c4db4e2b
-
SHA256
c85ab0293b67d28032dcd903ce9f7eba5ded834c6f831b04ab829f636a936b7b
-
SHA512
4cbca9dc972b8519d993c56de8b4f9dec4f4591eb7cb1c33f0716d7c17e93aeb1d3e849bdc7a9cd56e33a9a68afcc422b4be1981b78165e0a5daf86cd9d80c96
Malware Config
Extracted
http://ddl8.data.hu/get/283078/13125554/jogb.exe
Targets
-
-
Target
Cerere de oferta Startgroup S.R.L.22-12-2021.xlsm
-
Size
47KB
-
MD5
5376f38c61fd06af4227f763fb9a9b91
-
SHA1
23c4a46e61879a1c4bf2fc2aff5d82f6c4db4e2b
-
SHA256
c85ab0293b67d28032dcd903ce9f7eba5ded834c6f831b04ab829f636a936b7b
-
SHA512
4cbca9dc972b8519d993c56de8b4f9dec4f4591eb7cb1c33f0716d7c17e93aeb1d3e849bdc7a9cd56e33a9a68afcc422b4be1981b78165e0a5daf86cd9d80c96
Score10/10-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
BitRAT Payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-