Overview

overview

10

Static

static

Document.exe

windows7_x64

10

Document.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    12-01-2022 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document.exe

  • Size

    435KB

  • MD5

    12103b3952c09d930bf11af9df5b3ac4

  • SHA1

    914ec6513405dfe91192ed9ae2e82c9fe32c366a

  • SHA256

    4da51788f3414e7329cf4b720086550d686fa3d557c86b573a1eb0b218403c5f

  • SHA512

    a7c09de2b7d617b780238df68abf5d6c80b791af8da4d32eb56f96efe1c03cbb46c5332ed287dd8a32bd42f76d17b19b442bb854f3dbd03f80b3ebb377680064

Score
10/10
bitratsuricatatrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

covid1987.ddns.net:9090

Attributes
  • communication_password

    b4df9f494056d51f86c7f1a89850c467

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata
  • Downloads MZ/PE file
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Document.exe
    "C:\Users\Admin\AppData\Local\Temp\Document.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1572-115-0x0000000000D80000-0x0000000000DF4000-memory.dmp
    Filesize

    464KB

    Download
  • memory/1572-116-0x0000000000D80000-0x0000000000DF4000-memory.dmp
    Filesize

    464KB

    Download
  • memory/1572-117-0x0000000005D10000-0x000000000620E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1572-118-0x00000000056B0000-0x0000000005742000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1572-119-0x0000000005620000-0x000000000562A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1572-120-0x0000000005810000-0x0000000005D0E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1572-121-0x0000000005810000-0x0000000005D0E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1572-122-0x0000000007F90000-0x0000000007FB6000-memory.dmp
    Filesize

    152KB

    Download
  • memory/2160-124-0x000000000068A488-mapping.dmp
    Download
  • memory/2160-123-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/2160-125-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/2160-126-0x0000000000400000-0x00000000007CE000-memory.dmp
    Filesize

    3.8MB

    Download