Overview

overview

10

Static

static

Document.exe

windows7_x64

10

Document.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-01-2022 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document.exe

  • Size

    435KB

  • MD5

    12103b3952c09d930bf11af9df5b3ac4

  • SHA1

    914ec6513405dfe91192ed9ae2e82c9fe32c366a

  • SHA256

    4da51788f3414e7329cf4b720086550d686fa3d557c86b573a1eb0b218403c5f

  • SHA512

    a7c09de2b7d617b780238df68abf5d6c80b791af8da4d32eb56f96efe1c03cbb46c5332ed287dd8a32bd42f76d17b19b442bb854f3dbd03f80b3ebb377680064

Score
10/10
bitratsuricatatrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

covid1987.ddns.net:9090

Attributes
  • communication_password

    b4df9f494056d51f86c7f1a89850c467

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata
  • Downloads MZ/PE file
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Document.exe
    "C:\Users\Admin\AppData\Local\Temp\Document.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/792-55-0x0000000000D50000-0x0000000000DC4000-memory.dmp
    Filesize

    464KB

    Download
  • memory/792-56-0x0000000000D50000-0x0000000000DC4000-memory.dmp
    Filesize

    464KB

    Download
  • memory/792-57-0x0000000075321000-0x0000000075323000-memory.dmp
    Filesize

    8KB

    Download
  • memory/792-58-0x0000000004D60000-0x0000000004D61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/792-59-0x0000000004D65000-0x0000000004D76000-memory.dmp
    Filesize

    68KB

    Download
  • memory/792-60-0x00000000009F0000-0x0000000000A16000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1148-61-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1148-62-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1148-63-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1148-64-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1148-65-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1148-66-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1148-67-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1148-68-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1148-69-0x000000000068A488-mapping.dmp
    Download
  • memory/1148-71-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1148-72-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download