Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    10/05/2022, 10:38

General

  • Target

    481af38f33f4dc59c30d304ce466c4f0.exe

  • Size

    6.1MB

  • MD5

    481af38f33f4dc59c30d304ce466c4f0

  • SHA1

    ff0760bff63c33a71c93c84542402e8501d00627

  • SHA256

    39b2d2d422f4f87347f8b91009544a91115af8203fdb0afa7bf7f57cdec531e7

  • SHA512

    8225330df7a6f466ac9946e83cf1c50dde54cf4e330e8a1136a4837112766b3dc459ff6a6202e419e56f876986ae7549b889e8a85cbccefe6ec57dc1e7cd688e

Score
10/10

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

https.myvnc.com:9111

Attributes
  • communication_password

    c4ca4238a0b923820dcc509a6f75849b

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

  • Executes dropped EXE 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe
    "C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
      "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2420
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
    1⤵
      PID:4680

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

            Filesize

            42KB

            MD5

            9827ff3cdf4b83f9c86354606736ca9c

            SHA1

            e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

            SHA256

            c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

            SHA512

            8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

          • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

            Filesize

            42KB

            MD5

            9827ff3cdf4b83f9c86354606736ca9c

            SHA1

            e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

            SHA256

            c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

            SHA512

            8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

          • memory/2420-139-0x0000000000400000-0x00000000007CE000-memory.dmp

            Filesize

            3.8MB

          • memory/2420-137-0x0000000000400000-0x00000000007CE000-memory.dmp

            Filesize

            3.8MB

          • memory/2420-140-0x0000000000400000-0x00000000007CE000-memory.dmp

            Filesize

            3.8MB

          • memory/2420-141-0x0000000000400000-0x00000000007CE000-memory.dmp

            Filesize

            3.8MB

          • memory/4260-133-0x0000000006CB0000-0x0000000006D42000-memory.dmp

            Filesize

            584KB

          • memory/4260-134-0x0000000006CA0000-0x0000000006CAA000-memory.dmp

            Filesize

            40KB

          • memory/4260-135-0x000000000A000000-0x000000000A022000-memory.dmp

            Filesize

            136KB

          • memory/4260-132-0x0000000006540000-0x0000000006AE4000-memory.dmp

            Filesize

            5.6MB

          • memory/4260-130-0x0000000000ED0000-0x00000000014F4000-memory.dmp

            Filesize

            6.1MB

          • memory/4260-131-0x0000000005EF0000-0x0000000005F8C000-memory.dmp

            Filesize

            624KB