Overview

overview

10

Static

static

hta.hta

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    20-01-2022 05:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hta.hta

  • Size

    3.6MB

  • MD5

    3aeb3119d5782739c238aa5c216f706e

  • SHA1

    68e8ce8c8a39660555661d7436d9081ec2454dfa

  • SHA256

    12138c2aca3eaebf6c6b3f1b7b24c68ea5b9d29d4e88ed8412b46b5ce8feb2bb

  • SHA512

    fe47a283d8ddd9782a7ac9e9f77c427dd528fd3e8536c3a9e32c147313df326e256f8660c6633621b7282928bd02fa2cc7019cef2030ce4c09dd551e503ea4df

Score
10/10
bitrattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

learnatallcost2.ddns.net:9050

Attributes
  • communication_password

    4a3e00961a08879c34f91ca0070ea2f5

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\hta.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
      PID:2724
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:2208
        • C:\Windows\system32\mshta.exe
          mshta hta.hta
          3⤵
            PID:2936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -nop -ep unrestricted
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3760
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              4⤵
                PID:1020
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                4⤵
                  PID:3768
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                  4⤵
                    PID:3112
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                    4⤵
                      PID:3692
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                      4⤵
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • NTFS ADS
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      PID:2736

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                MD5

                ea6243fdb2bfcca2211884b0a21a0afc

                SHA1

                2eee5232ca6acc33c3e7de03900e890f4adf0f2f

                SHA256

                5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

                SHA512

                189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                MD5

                f93bd7d721758b9a4f242b4643201bb8

                SHA1

                f418c2a282f3f5428cdb7c9d35cca502b21aac4a

                SHA256

                48fed95ae39b31ffcdb9323cf9eb4cf2a7cbbf51773a46625365942b908866dd

                SHA512

                8b0e2bfd98a11b7944ea2a47f9d85166e85fc04970460191f761d7e0e5c079806ebcfd7ecc774ef1cb293f504a916fdbac9722b728f79b88c6ea1ce9ea9a75a6

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
                MD5

                67d41d568f596bcfe6911791c277d91c

                SHA1

                7ee59fe79785fe80ca3ff7bb763c9877e88a4480

                SHA256

                8877f6d59b190961cfc6af69df0c8a8278efd2bd7c1d89a094781475140adb98

                SHA512

                8b4b0f2f2511b1ec8f0255746e3662a778bd050a19803732bdd2ed71d5709b2c153a6c65884f86e6973422d9b207dd141868fe35f51871baf26c7661a40fb1c6

                Download Submit
              • memory/1648-185-0x0000022A48C68000-0x0000022A48C69000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1648-152-0x0000022A49B40000-0x0000022A49BB6000-memory.dmp
                Filesize

                472KB

                Download
              • memory/1648-184-0x0000022A48C66000-0x0000022A48C68000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1648-141-0x0000022A495F0000-0x0000022A4962C000-memory.dmp
                Filesize

                240KB

                Download
              • memory/1648-120-0x0000022A48C60000-0x0000022A48C62000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1648-121-0x0000022A48C63000-0x0000022A48C65000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1648-119-0x0000022A48B30000-0x0000022A48B52000-memory.dmp
                Filesize

                136KB

                Download
              • memory/2736-249-0x0000000000400000-0x00000000007E4000-memory.dmp
                Filesize

                3.9MB

                Download
              • memory/2736-251-0x0000000000400000-0x00000000007E4000-memory.dmp
                Filesize

                3.9MB

                Download
              • memory/2736-250-0x0000000000400000-0x00000000007E4000-memory.dmp
                Filesize

                3.9MB

                Download
              • memory/3760-197-0x0000028B3E330000-0x0000028B3E332000-memory.dmp
                Filesize

                8KB

                Download
              • memory/3760-240-0x0000028B3E320000-0x0000028B3E32E000-memory.dmp
                Filesize

                56KB

                Download
              • memory/3760-239-0x0000028B3E336000-0x0000028B3E338000-memory.dmp
                Filesize

                8KB

                Download
              • memory/3760-199-0x0000028B3E333000-0x0000028B3E335000-memory.dmp
                Filesize

                8KB

                Download