Document.exe
Document.exe
435KB
12-01-2022 17:49
12103b3952c09d930bf11af9df5b3ac4
914ec6513405dfe91192ed9ae2e82c9fe32c366a
4da51788f3414e7329cf4b720086550d686fa3d557c86b573a1eb0b218403c5f
Extracted
| Family | bitrat |
| Version | 1.38 |
| C2 |
covid1987.ddns.net:9090 |
| Attributes |
communication_password b4df9f494056d51f86c7f1a89850c467
tor_process tor |
Filter: none
-
BitRAT
Description
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
Tags
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Description
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Tags
-
Downloads MZ/PE file
-
Suspicious use of NtSetInformationThreadHideFromDebuggerRegAsm.exe
Reported IOCs
pid process 1148 RegAsm.exe 1148 RegAsm.exe 1148 RegAsm.exe 1148 RegAsm.exe 1148 RegAsm.exe -
Suspicious use of SetThreadContextDocument.exe
Reported IOCs
description pid process target process PID 792 set thread context of 1148 792 Document.exe RegAsm.exe -
Suspicious use of AdjustPrivilegeTokenDocument.exeRegAsm.exe
Reported IOCs
description pid process Token: SeDebugPrivilege 792 Document.exe Token: SeDebugPrivilege 1148 RegAsm.exe Token: SeShutdownPrivilege 1148 RegAsm.exe -
Suspicious use of SetWindowsHookExRegAsm.exe
Reported IOCs
pid process 1148 RegAsm.exe 1148 RegAsm.exe -
Suspicious use of WriteProcessMemoryDocument.exe
Reported IOCs
description pid process target process PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe PID 792 wrote to memory of 1148 792 Document.exe RegAsm.exe
-
C:\Users\Admin\AppData\Local\Temp\Document.exePID:792"C:\Users\Admin\AppData\Local\Temp\Document.exe"Suspicious use of SetThreadContextSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exePID:1148"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Suspicious use of NtSetInformationThreadHideFromDebuggerSuspicious use of AdjustPrivilegeTokenSuspicious use of SetWindowsHookEx
-
memory/792-55-0x0000000000D50000-0x0000000000DC4000-memory.dmp
-
memory/792-56-0x0000000000D50000-0x0000000000DC4000-memory.dmp
-
memory/792-57-0x0000000075321000-0x0000000075323000-memory.dmp
-
memory/792-58-0x0000000004D60000-0x0000000004D61000-memory.dmp
-
memory/792-59-0x0000000004D65000-0x0000000004D76000-memory.dmp
-
memory/792-60-0x00000000009F0000-0x0000000000A16000-memory.dmp
-
memory/1148-63-0x0000000000400000-0x00000000007CE000-memory.dmp
-
memory/1148-62-0x0000000000400000-0x00000000007CE000-memory.dmp
-
memory/1148-61-0x0000000000400000-0x00000000007CE000-memory.dmp
-
memory/1148-64-0x0000000000400000-0x00000000007CE000-memory.dmp
-
memory/1148-65-0x0000000000400000-0x00000000007CE000-memory.dmp
-
memory/1148-66-0x0000000000400000-0x00000000007CE000-memory.dmp
-
memory/1148-67-0x0000000000400000-0x00000000007CE000-memory.dmp
-
memory/1148-68-0x0000000000400000-0x00000000007CE000-memory.dmp
-
memory/1148-69-0x000000000068A488-mapping.dmp
-
memory/1148-71-0x0000000000400000-0x00000000007CE000-memory.dmp
-
memory/1148-72-0x0000000000400000-0x00000000007CE000-memory.dmp