Overview

overview

10

Static

static

Aepfxfnvtb...ao.exe

windows7_x64

10

Aepfxfnvtb...ao.exe

windows10-2004_x64

10

Resubmissions

08-06-2022 18:02

220608-wmrwraafhk 10

08-06-2022 17:56

220608-wjbelaeeb4 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c41718ada97cee3ec7317272591eda61-sample.zip

  • Size

    624KB

  • Sample

    220608-wmrwraafhk

  • MD5

    a19a59d7bd616a575898970b68b87b82

  • SHA1

    9c01da8e5bdddf0bea2df8c7f99344aeb55dce73

  • SHA256

    de2ccca7996acb55c58238b8f0a465398a0ff5cec1081ed1da9d51573ca87959

  • SHA512

    23c6627902ba3f4887a17b9b2a2bb215e6013bf4099a8eabc0a6a43d29739d86b1810252c160c05e9fabed24655e4aa7fe374fb775a76ecf2888b60064182cb3

Score
10/10
bitratmodiloaderxenarmorcollectionpasswordpersistencerecoveryspywarestealersuricatatrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

oka.nerdpol.ovh:2223

Attributes
  • communication_password

    b6c6e855edf908ec7c12ce8c8e628a5c

  • tor_process

    tor

Targets

    • Target

      Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe

    • Size

      1.0MB

    • MD5

      3daa66d053bf5aa603c9db0af979d2b7

    • SHA1

      5beb955aef82e5e487b50c3a7ba38ec76d93e760

    • SHA256

      bda842fc1f63fc6ab60f1964cbb4f25e655b92ffa0009d4b9a91f293e9b4f228

    • SHA512

      fd54c4568d7e508ce0b47ed6d71f519608b3e850bac54bba8f3f2dcdfa49fe9cc71caf366ebf089d090c399c25c8c2842fe9c6a1b7b494f1d03cf0b6bb8a91cb

    Score
    10/10
    bitratmodiloaderpersistencesuricatatrojanupxxenarmorcollectionpasswordrecoveryspywarestealer

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

      recoverypasswordxenarmor

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

4
T1081

Discovery

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks