Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-01-2022 10:37
Static task
static1
Behavioral task
behavioral1
Sample
906704d57b43ab4f0cbb625b619c0524.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
906704d57b43ab4f0cbb625b619c0524.exe
-
Size
4.1MB
-
MD5
906704d57b43ab4f0cbb625b619c0524
-
SHA1
5ffa166c080fc4207d5bf69a570256b090643dfb
-
SHA256
e4cd8a1b9e5c53eae6da80b1d3bddaa3036f9fc7229d8a0d8307e3f4927d9349
-
SHA512
11aecb4c157d0b3ad2ee733105efd3aad6f7852977a5d4a8ff62b60a8727ccc9c8ac3257babdebd4936131034e9bd9e01e93df7adc186be23b7f07f1b1e02d35
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
kimonda700.duckdns.org:5858
Attributes
-
communication_password
5604f45e9eedfa10a01bbe1ebda16726
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
906704d57b43ab4f0cbb625b619c0524.exepid process 748 906704d57b43ab4f0cbb625b619c0524.exe 748 906704d57b43ab4f0cbb625b619c0524.exe 748 906704d57b43ab4f0cbb625b619c0524.exe 748 906704d57b43ab4f0cbb625b619c0524.exe 748 906704d57b43ab4f0cbb625b619c0524.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
906704d57b43ab4f0cbb625b619c0524.exedescription pid process target process PID 2808 set thread context of 748 2808 906704d57b43ab4f0cbb625b619c0524.exe 906704d57b43ab4f0cbb625b619c0524.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
906704d57b43ab4f0cbb625b619c0524.exedescription pid process Token: SeShutdownPrivilege 748 906704d57b43ab4f0cbb625b619c0524.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
906704d57b43ab4f0cbb625b619c0524.exe906704d57b43ab4f0cbb625b619c0524.exepid process 2808 906704d57b43ab4f0cbb625b619c0524.exe 748 906704d57b43ab4f0cbb625b619c0524.exe 748 906704d57b43ab4f0cbb625b619c0524.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
906704d57b43ab4f0cbb625b619c0524.exedescription pid process target process PID 2808 wrote to memory of 748 2808 906704d57b43ab4f0cbb625b619c0524.exe 906704d57b43ab4f0cbb625b619c0524.exe PID 2808 wrote to memory of 748 2808 906704d57b43ab4f0cbb625b619c0524.exe 906704d57b43ab4f0cbb625b619c0524.exe PID 2808 wrote to memory of 748 2808 906704d57b43ab4f0cbb625b619c0524.exe 906704d57b43ab4f0cbb625b619c0524.exe PID 2808 wrote to memory of 748 2808 906704d57b43ab4f0cbb625b619c0524.exe 906704d57b43ab4f0cbb625b619c0524.exe PID 2808 wrote to memory of 748 2808 906704d57b43ab4f0cbb625b619c0524.exe 906704d57b43ab4f0cbb625b619c0524.exe PID 2808 wrote to memory of 748 2808 906704d57b43ab4f0cbb625b619c0524.exe 906704d57b43ab4f0cbb625b619c0524.exe PID 2808 wrote to memory of 748 2808 906704d57b43ab4f0cbb625b619c0524.exe 906704d57b43ab4f0cbb625b619c0524.exe PID 2808 wrote to memory of 748 2808 906704d57b43ab4f0cbb625b619c0524.exe 906704d57b43ab4f0cbb625b619c0524.exe PID 2808 wrote to memory of 748 2808 906704d57b43ab4f0cbb625b619c0524.exe 906704d57b43ab4f0cbb625b619c0524.exe PID 2808 wrote to memory of 748 2808 906704d57b43ab4f0cbb625b619c0524.exe 906704d57b43ab4f0cbb625b619c0524.exe PID 2808 wrote to memory of 748 2808 906704d57b43ab4f0cbb625b619c0524.exe 906704d57b43ab4f0cbb625b619c0524.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\906704d57b43ab4f0cbb625b619c0524.exe"C:\Users\Admin\AppData\Local\Temp\906704d57b43ab4f0cbb625b619c0524.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\906704d57b43ab4f0cbb625b619c0524.exe"C:\Users\Admin\AppData\Local\Temp\906704d57b43ab4f0cbb625b619c0524.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx