Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10/05/2022, 12:38
Static task
static1
Behavioral task
behavioral1
Sample
f1e6bf4d43ee2975292f57112c8fcb5d.exe
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
f1e6bf4d43ee2975292f57112c8fcb5d.exe
-
Size
264KB
-
MD5
f1e6bf4d43ee2975292f57112c8fcb5d
-
SHA1
6c52c3a0707c3f9fe78ef47993e5ba6a854ff0b1
-
SHA256
d7c1130bfed2081ab246aa229e524dd38eb91b22af6db68ddb89f1c760379d9a
-
SHA512
fdf0b02c3e2bef352b46880a88960d51e30f6132351064087c557ec6a96498905d7eb316e81d047d8988e1de9da715082617a999bdd239fc712c8c9b17d61656
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
lapoire3.hopto.org:1234
Attributes
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f1e6bf4d43ee2975292f57112c8fcb5d.exe f1e6bf4d43ee2975292f57112c8fcb5d.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f1e6bf4d43ee2975292f57112c8fcb5d.exe f1e6bf4d43ee2975292f57112c8fcb5d.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1928 f1e6bf4d43ee2975292f57112c8fcb5d.exe 1928 f1e6bf4d43ee2975292f57112c8fcb5d.exe 1928 f1e6bf4d43ee2975292f57112c8fcb5d.exe 1928 f1e6bf4d43ee2975292f57112c8fcb5d.exe 1928 f1e6bf4d43ee2975292f57112c8fcb5d.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2476 set thread context of 1928 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 82 -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe Token: SeShutdownPrivilege 1928 f1e6bf4d43ee2975292f57112c8fcb5d.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1928 f1e6bf4d43ee2975292f57112c8fcb5d.exe 1928 f1e6bf4d43ee2975292f57112c8fcb5d.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2476 wrote to memory of 1928 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 82 PID 2476 wrote to memory of 1928 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 82 PID 2476 wrote to memory of 1928 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 82 PID 2476 wrote to memory of 1928 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 82 PID 2476 wrote to memory of 1928 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 82 PID 2476 wrote to memory of 1928 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 82 PID 2476 wrote to memory of 1928 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 82 PID 2476 wrote to memory of 1928 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 82 PID 2476 wrote to memory of 1928 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 82 PID 2476 wrote to memory of 1928 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 82 PID 2476 wrote to memory of 1928 2476 f1e6bf4d43ee2975292f57112c8fcb5d.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1e6bf4d43ee2975292f57112c8fcb5d.exe"C:\Users\Admin\AppData\Local\Temp\f1e6bf4d43ee2975292f57112c8fcb5d.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\f1e6bf4d43ee2975292f57112c8fcb5d.exe"C:\Users\Admin\AppData\Local\Temp\f1e6bf4d43ee2975292f57112c8fcb5d.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1928
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:3712