Overview

overview

10

Static

static

R0DJFF6DH_...PT.exe

windows7_x64

10

R0DJFF6DH_...PT.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    13-06-2022 17:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    R0DJFF6DH_ETRANSFER_RECEIPT.exe

  • Size

    300.0MB

  • MD5

    226fb5752aa6f88a83ff3b5fd793ed3e

  • SHA1

    e47d89197c492285ed0e21ba88d8c6dc57b53b28

  • SHA256

    b7bc9c6c715db6abe6707205e70f685422aedf9c881beda92fff27a4fafdc4cb

  • SHA512

    7cf758e2846db04570cb00731a629d9fe282c5fd39c3b50e2238209e2341c4aa10944ed81d9971a8db475fd421d90aaec0b59722be522706dccf482eae138156

Score
10/10
bitrattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Executes dropped EXE 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\R0DJFF6DH_ETRANSFER_RECEIPT.exe
    "C:\Users\Admin\AppData\Local\Temp\R0DJFF6DH_ETRANSFER_RECEIPT.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\retwvs.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\retwvs.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:1096
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\R0DJFF6DH_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\retwvs.exe"
      2⤵
        PID:1192
      • C:\Users\Admin\AppData\Local\Temp\R0DJFF6DH_ETRANSFER_RECEIPT.exe
        "C:\Users\Admin\AppData\Local\Temp\R0DJFF6DH_ETRANSFER_RECEIPT.exe"
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2044
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {4FD6C770-A237-4261-B72B-BFB6F3F162D7} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Users\Admin\AppData\Roaming\retwvs.exe
        C:\Users\Admin\AppData\Roaming\retwvs.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\retwvs.exe'" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:320
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\retwvs.exe'" /f
            4⤵
            • Creates scheduled task(s)
            PID:1488
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\retwvs.exe" "C:\Users\Admin\AppData\Roaming\retwvs.exe"
          3⤵
            PID:564
          • C:\Users\Admin\AppData\Roaming\retwvs.exe
            "C:\Users\Admin\AppData\Roaming\retwvs.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            PID:1756

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\retwvs.exe
        Filesize

        239.9MB

        MD5

        dbde8b430fc98d8a5082ae24f24ada09

        SHA1

        da4391075fe2f43cef39bf4f2a316aa324c2e9b1

        SHA256

        7c4763918f9c25d0c0f178b3ceed26e09cf2133c5b8e230fbb5720695f2c9e1e

        SHA512

        c59d8bb55a699de76e085e0b3b44a09d010ff72e0aeacb2bdef163904f34ca977ff41eb3fcb1a61bae0154029107e00becc6ecf26fdd7cf96f5b18ab70981558

        Download Submit
      • C:\Users\Admin\AppData\Roaming\retwvs.exe
        Filesize

        247.6MB

        MD5

        e75b5b4c012524224fbe0b3c188c5f23

        SHA1

        6d30f088b525caf0ce1b6af0608d39cc5632075e

        SHA256

        bacefc35825b05932914e643a97ee9618718295dcaa417a853fe644e9b61e59b

        SHA512

        fb521470414f84ca1020d8fbd8f0f7eedcd167d32f2fd3e4c15f9b80d8c1ca2569342828d7a117113ba071805d5c3ac5dae70c0cae44c55623ade049384a4c5e

        Download Submit
      • C:\Users\Admin\AppData\Roaming\retwvs.exe
        Filesize

        27.9MB

        MD5

        4ceb4a5f41fe0417369db97462bc0219

        SHA1

        c8e6771cde1ce65ba9473f1c1556268c8b7a22f2

        SHA256

        b3da007cbac2ce51625143ad1bd068fac45220c152e6ece5f03cf24e501573fa

        SHA512

        5a566a831268e527a4f0cc24ba651399ee8400c69c8b947b292dda3bee45f8fa8d1ed5f9f14827850ee202c9c404fe6423bb8fd9c4b581fbc8215dc0e3f61d58

        Download Submit
      • memory/320-77-0x0000000000000000-mapping.dmp
        Download
      • memory/564-79-0x0000000000000000-mapping.dmp
        Download
      • memory/1092-55-0x0000000005120000-0x0000000005296000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1092-56-0x00000000752A1000-0x00000000752A3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1092-54-0x00000000010C0000-0x0000000001254000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1096-58-0x0000000000000000-mapping.dmp
        Download
      • memory/1192-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1488-78-0x0000000000000000-mapping.dmp
        Download
      • memory/1636-75-0x0000000000140000-0x00000000002D4000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1636-73-0x0000000000000000-mapping.dmp
        Download
      • memory/1708-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1756-91-0x0000000000610000-0x00000000009F4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/1756-85-0x00000000007E2730-mapping.dmp
        Download
      • memory/1756-87-0x0000000000610000-0x00000000009F4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/1756-88-0x0000000000610000-0x00000000009F4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/1756-92-0x0000000000610000-0x00000000009F4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2044-61-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2044-71-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2044-69-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2044-67-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2044-66-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2044-65-0x00000000007E2730-mapping.dmp
        Download
      • memory/2044-64-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2044-63-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2044-60-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download