Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    06-02-2022 15:31

General

  • Target

    RequestORDERQuote.exe

  • Size

    2.3MB

  • MD5

    3f02190df38e5dadd7e1b694f547c539

  • SHA1

    32769a00df7264940c155f9a2222812e0fbf86be

  • SHA256

    91b24eab863880a23663f812e043b6b83dab1e658b234b1b98521e28071527b9

  • SHA512

    5068205c43a7fc49fb1b0e1b48526181355e0af091b2086ab35e37a60dbb8d3136f5325b7b614402a9f52515a08e67d5255b195b71a5c5e5332a24098a9b24da

Score
10/10

Malware Config

Extracted

Family

bitrat

Version

1.35

C2

vst.fastestmaking.com:5433

Attributes
  • communication_password

    331316d4efb44682092a006307b9ae3a

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exe
    "C:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3824
    • C:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exe
      C:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exe
      2⤵
        PID:1148
      • C:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exe
        C:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exe
        2⤵
          PID:2892
        • C:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exe
          C:\Users\Admin\AppData\Local\Temp\RequestORDERQuote.exe
          2⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3336
      • C:\Windows\system32\MusNotifyIcon.exe
        %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
        1⤵
        • Checks processor information in registry
        PID:3992
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -p
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:4056

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3336-135-0x0000000000400000-0x00000000007CE000-memory.dmp
        Filesize

        3.8MB

      • memory/3336-136-0x0000000000400000-0x00000000007CE000-memory.dmp
        Filesize

        3.8MB

      • memory/3824-130-0x0000000000DD0000-0x0000000001022000-memory.dmp
        Filesize

        2.3MB

      • memory/3824-131-0x00000000060B0000-0x0000000006654000-memory.dmp
        Filesize

        5.6MB

      • memory/3824-132-0x0000000005A40000-0x0000000005AD2000-memory.dmp
        Filesize

        584KB

      • memory/3824-133-0x00000000032C0000-0x00000000032D1000-memory.dmp
        Filesize

        68KB

      • memory/3824-134-0x00000000059D0000-0x00000000059DA000-memory.dmp
        Filesize

        40KB