Overview

overview

10

Static

static

Document.exe

windows7_x64

10

Document.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    19-01-2022 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Document.exe

  • Size

    839KB

  • MD5

    2a5a12f5a3bc62ecd263e1ebde57cba7

  • SHA1

    f1d3ba0fc6343e145663c944e6aeebe5e96eaa6b

  • SHA256

    b93811479bf82f08e97be19c596166482cdb2b31b8762c8c310307dfd6dab61e

  • SHA512

    81657258531d71b064b749f62f6d6570c4c0478c14d67655d1565965f4b772aea82a22561d0e5dc562bfdbca85a7dda03fd95ec7b8ebc43e632b9d817435de66

Score
10/10
bitratpersistencesuricatatrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

covid66758.ddns.net:9090

Attributes
  • communication_password

    b4df9f494056d51f86c7f1a89850c467

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Document.exe
    "C:\Users\Admin\AppData\Local\Temp\Document.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\SysWOW64\logagent.exe
      C:\Windows\System32\logagent.exe
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1296-66-0x0000000000080000-0x0000000000081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1296-85-0x0000000072480000-0x0000000072864000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1296-88-0x0000000072480000-0x0000000072864000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1296-90-0x0000000000080000-0x0000000000081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1296-91-0x00000000000C0000-0x00000000000C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1296-92-0x00000000002A0000-0x00000000002A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1296-93-0x0000000072480000-0x0000000072864000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1412-54-0x0000000076851000-0x0000000076853000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1412-55-0x0000000000330000-0x0000000000331000-memory.dmp
    Filesize

    4KB

    Download