Overview

overview

10

Static

static

Punlolvwcl...vb.exe

windows7_x64

10

Punlolvwcl...vb.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe

  • Size

    683KB

  • Sample

    220521-xppd3sccd3

  • MD5

    c96702f31575539b3439478d14983329

  • SHA1

    e1a6e2a14be3d49c89e3768e64c751ba9b959f85

  • SHA256

    7069126ab12c5a8b542c10a6e0e60c78d9b3c4150b5caf947b0420c50520cbea

  • SHA512

    99b8ae29eef8528ff91e7f13a3a298f2d96902fa857c18f94f27fb97aca5fc15280e5f6d1805bf3ef955189b04b8edd1496062bc124ffee35017059745521fda

Score
10/10
bitratmodiloaderxenarmorcollectionpasswordpersistencerecoveryspywarestealersuricatatrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

oka.nerdpol.ovh:2223

Attributes
  • communication_password

    b6c6e855edf908ec7c12ce8c8e628a5c

  • tor_process

    tor

Targets

    • Target

      Punlolvwclwfqtzbjkukzofgyrkizbvbvb.exe

    • Size

      683KB

    • MD5

      c96702f31575539b3439478d14983329

    • SHA1

      e1a6e2a14be3d49c89e3768e64c751ba9b959f85

    • SHA256

      7069126ab12c5a8b542c10a6e0e60c78d9b3c4150b5caf947b0420c50520cbea

    • SHA512

      99b8ae29eef8528ff91e7f13a3a298f2d96902fa857c18f94f27fb97aca5fc15280e5f6d1805bf3ef955189b04b8edd1496062bc124ffee35017059745521fda

    Score
    10/10
    bitratmodiloaderpersistencesuricatatrojanupxxenarmorcollectionpasswordrecoveryspywarestealer

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

      recoverypasswordxenarmor

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

4
T1081

Discovery

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks