Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    10/05/2022, 10:38

General

  • Target

    481af38f33f4dc59c30d304ce466c4f0.exe

  • Size

    6.1MB

  • MD5

    481af38f33f4dc59c30d304ce466c4f0

  • SHA1

    ff0760bff63c33a71c93c84542402e8501d00627

  • SHA256

    39b2d2d422f4f87347f8b91009544a91115af8203fdb0afa7bf7f57cdec531e7

  • SHA512

    8225330df7a6f466ac9946e83cf1c50dde54cf4e330e8a1136a4837112766b3dc459ff6a6202e419e56f876986ae7549b889e8a85cbccefe6ec57dc1e7cd688e

Score
10/10

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

https.myvnc.com:9111

Attributes
  • communication_password

    c4ca4238a0b923820dcc509a6f75849b

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe
    "C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
      "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:940

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

          Filesize

          41KB

          MD5

          6a673bfc3b67ae9782cb31af2f234c68

          SHA1

          7544e89566d91e84e3cd437b9a073e5f6b56566e

          SHA256

          978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

          SHA512

          72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

        • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

          Filesize

          41KB

          MD5

          6a673bfc3b67ae9782cb31af2f234c68

          SHA1

          7544e89566d91e84e3cd437b9a073e5f6b56566e

          SHA256

          978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

          SHA512

          72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

        • \Users\Admin\AppData\Local\Temp\AddInProcess32.exe

          Filesize

          41KB

          MD5

          6a673bfc3b67ae9782cb31af2f234c68

          SHA1

          7544e89566d91e84e3cd437b9a073e5f6b56566e

          SHA256

          978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

          SHA512

          72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

        • memory/848-54-0x0000000000890000-0x0000000000EB4000-memory.dmp

          Filesize

          6.1MB

        • memory/848-55-0x00000000005A0000-0x00000000005D0000-memory.dmp

          Filesize

          192KB

        • memory/848-56-0x0000000075951000-0x0000000075953000-memory.dmp

          Filesize

          8KB

        • memory/848-57-0x00000000004B0000-0x00000000004CA000-memory.dmp

          Filesize

          104KB

        • memory/848-58-0x00000000004D0000-0x00000000004D6000-memory.dmp

          Filesize

          24KB

        • memory/940-70-0x00000000007B9000-0x00000000007DE000-memory.dmp

          Filesize

          148KB

        • memory/940-78-0x00000000007B9000-0x00000000007DE000-memory.dmp

          Filesize

          148KB