Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    06-01-2022 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32ca272da062d0997c8131b5488af9858420cb97ab7d67fb911afc37d45e4788.exe

  • Size

    2.2MB

  • MD5

    4136661e8a9689aca8802518294b02fe

  • SHA1

    3f43207a00cd456fd54e783e95b20a849c09961b

  • SHA256

    32ca272da062d0997c8131b5488af9858420cb97ab7d67fb911afc37d45e4788

  • SHA512

    6d9290a19be178c2e561bb9209ee5bf7309a8d89922ebc3cc200756d6e85058aedce1a3df6c45149f2c677f61c98b8fee943d31807aece251799710ae42ec82e

Score
10/10
bitratpersistencesuricatatrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

91.243.32.131:80

Attributes
  • communication_password

    202cb962ac59075b964b07152d234b70

  • install_dir

    Defenderzone

  • install_file

    syspro.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32ca272da062d0997c8131b5488af9858420cb97ab7d67fb911afc37d45e4788.exe
    "C:\Users\Admin\AppData\Local\Temp\32ca272da062d0997c8131b5488af9858420cb97ab7d67fb911afc37d45e4788.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/748-115-0x00000000025C0000-0x0000000002606000-memory.dmp
    Filesize

    280KB

    Download
  • memory/748-116-0x0000000000400000-0x0000000000831000-memory.dmp
    Filesize

    4.2MB

    Download
  • memory/748-117-0x0000000000400000-0x0000000000831000-memory.dmp
    Filesize

    4.2MB

    Download
  • memory/748-118-0x00000000001E0000-0x00000000001E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/748-119-0x0000000000400000-0x0000000000831000-memory.dmp
    Filesize

    4.2MB

    Download
  • memory/748-120-0x0000000000401000-0x00000000006E0000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/748-121-0x00000000759A0000-0x0000000075B62000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/748-122-0x0000000000401000-0x00000000006E0000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/748-123-0x0000000000401000-0x00000000006E0000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/748-124-0x0000000074E00000-0x0000000074EF1000-memory.dmp
    Filesize

    964KB

    Download
  • memory/748-125-0x00000000750B0000-0x0000000075634000-memory.dmp
    Filesize

    5.5MB

    Download