Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    05-01-2022 12:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b82105ff0273e98abbfa2708e7b25dcb5eebab0344a3de1fd9bcfd841281912.exe

  • Size

    4.2MB

  • MD5

    99e35efb08a65b2cd59aa0cc8e27a64d

  • SHA1

    c24cd0527cbef8c76fbe386ce81cc844cc5acb36

  • SHA256

    2b82105ff0273e98abbfa2708e7b25dcb5eebab0344a3de1fd9bcfd841281912

  • SHA512

    029ef3b887f3683142ba18c5c72cfcd17931f63bc4397f5942370427b4a4c7fc1ee22789254da525c57dfc4a6d1818f12cc65cc3a4bec79fd2efffb17bc106f2

Score
10/10
bitratpersistencesuricatatrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

91.243.32.131:80

Attributes
  • communication_password

    202cb962ac59075b964b07152d234b70

  • install_dir

    Defenderzone

  • install_file

    syspro.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b82105ff0273e98abbfa2708e7b25dcb5eebab0344a3de1fd9bcfd841281912.exe
    "C:\Users\Admin\AppData\Local\Temp\2b82105ff0273e98abbfa2708e7b25dcb5eebab0344a3de1fd9bcfd841281912.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4108-115-0x0000000000400000-0x0000000000807000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/4108-116-0x0000000000400000-0x0000000000807000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/4108-117-0x00000000001E0000-0x00000000001E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4108-118-0x0000000000400000-0x0000000000807000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/4108-119-0x0000000000400000-0x0000000000807000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/4108-120-0x0000000000401000-0x00000000006E0000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/4108-121-0x00000000761D0000-0x0000000076392000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4108-122-0x0000000000401000-0x00000000006E0000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/4108-123-0x0000000002430000-0x0000000002476000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4108-124-0x0000000000401000-0x00000000006E0000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/4108-125-0x0000000076570000-0x0000000076661000-memory.dmp
    Filesize

    964KB

    Download