Overview

overview

10

Static

static

0b032e83c3...42.exe

windows7_x64

10

0b032e83c3...42.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    30-12-2021 08:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b032e83c3a78f61fa3bf9cebd5a0242.exe

  • Size

    4.5MB

  • MD5

    0b032e83c3a78f61fa3bf9cebd5a0242

  • SHA1

    f39705cde333b8c104f0a0381aa85de5a9d40e23

  • SHA256

    4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec

  • SHA512

    776674d9a1e9ec68dd4f2a3d4deaf7eec921b3a306874f15956a70491bf6bb166d7994039dc724afcc1e1ed9150a91116965a79e8a320e37dced402d258e5a77

Score
10/10
bitratsuricatatrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

queentaline.ddns.net:1117

Attributes
  • communication_password

    202cb962ac59075b964b07152d234b70

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata
  • Deletes itself 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b032e83c3a78f61fa3bf9cebd5a0242.exe
    "C:\Users\Admin\AppData\Local\Temp\0b032e83c3a78f61fa3bf9cebd5a0242.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tXqdqvrsfx.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1424
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXqdqvrsfx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7455.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1832
    • C:\Users\Admin\AppData\Local\Temp\0b032e83c3a78f61fa3bf9cebd5a0242.exe
      "C:\Users\Admin\AppData\Local\Temp\0b032e83c3a78f61fa3bf9cebd5a0242.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LlCcXejT.bat" "
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\system32\timeout.exe
          timeout /t 5 /nobreak
          4⤵
          • Delays execution with timeout.exe
          PID:884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\LlCcXejT.bat
    MD5

    0f47fb63e9b37f28c2d4e6cd639b1c60

    SHA1

    39aa3f99db8682699c3b975b184680d2158dc139

    SHA256

    997d8b30047c56a015c160c4e5a13c0665e61d37f0e3a2afd11e170dde496766

    SHA512

    8baefd7eae030494aa5af0030536b8ca73c928e0607b4c1ddd916e4fd3ec035cd7d1e9b30f99cd8c0631437f04747b7c2f407500ba19d5c525a4f940a27b71aa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp7455.tmp
    MD5

    7bfa369ed377dd654741a63e155b2d46

    SHA1

    0756fa9b5cb93fbbe8dd64192733daac003ee5d1

    SHA256

    1536acf67823246265139db03f74714777cb498b211d4c177ff00a916deea65b

    SHA512

    16df41510f091628c06973ee8925fc702ec65c4c6072b5320c2019ffeee9cb1a29d0f573a743b40c5405de6d2ab2138d42ae8aaf3cbf0f470ca2215de33b34fd

    Download Submit
  • memory/884-80-0x0000000000000000-mapping.dmp
    Download
  • memory/1060-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1072-54-0x0000000000A90000-0x0000000000F1E000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/1072-55-0x0000000000A90000-0x0000000000F1E000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/1072-56-0x0000000075D61000-0x0000000075D63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1072-57-0x0000000004F30000-0x0000000004F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1072-58-0x0000000000550000-0x0000000000560000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1072-59-0x0000000009660000-0x0000000009B8C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1112-73-0x000000000068A488-mapping.dmp
    Download
  • memory/1112-72-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1112-67-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1112-68-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1112-69-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1112-70-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1112-71-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1112-66-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1112-64-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1112-76-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1424-75-0x0000000002400000-0x000000000304A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1424-77-0x0000000002400000-0x000000000304A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1424-65-0x0000000002400000-0x000000000304A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1424-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1832-61-0x0000000000000000-mapping.dmp
    Download