Analysis
-
max time kernel
157s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 14:32
Static task
static1
Behavioral task
behavioral1
Sample
RKS7D5D6F_ETRANSFER_RECEIPT.exe
Resource
win7-20220414-en
General
-
Target
RKS7D5D6F_ETRANSFER_RECEIPT.exe
-
Size
300.0MB
-
MD5
7298a9ef42c45144a0caab46893fc9e3
-
SHA1
809492d6628db6cb0af75ceb861ca209079029af
-
SHA256
cd4000e6ed2eeeb0af7509cc6c74ea8d2ef08d5d6f6551aeebad6a96de57d7cd
-
SHA512
ac95e369ed001e74b5c32cb94ac109f3b7c76b9c9dd82fd92c0569682589ccd94521599a7b03921a633c4668905a73ba87c9c7d5e31935d047f61c1284dd4459
Malware Config
Extracted
bitrat
1.38
bitrat9300.duckdns.org:9300
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Executes dropped EXE 2 IoCs
Processes:
nhbyg.exenhbyg.exepid process 2840 nhbyg.exe 936 nhbyg.exe -
Processes:
resource yara_rule behavioral2/memory/4316-138-0x0000000000610000-0x00000000009F4000-memory.dmp upx behavioral2/memory/4316-137-0x0000000000610000-0x00000000009F4000-memory.dmp upx behavioral2/memory/4060-145-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4060-146-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4060-147-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4060-148-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4060-149-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/4060-152-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
RegAsm.exepid process 4060 RegAsm.exe 4060 RegAsm.exe 4060 RegAsm.exe 4060 RegAsm.exe 4060 RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
RKS7D5D6F_ETRANSFER_RECEIPT.exenhbyg.exedescription pid process target process PID 880 set thread context of 4316 880 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 2840 set thread context of 4060 2840 nhbyg.exe RegAsm.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1360 4316 WerFault.exe RegAsm.exe 4680 4316 WerFault.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeShutdownPrivilege 4060 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid process 4060 RegAsm.exe 4060 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
RKS7D5D6F_ETRANSFER_RECEIPT.execmd.exenhbyg.execmd.exedescription pid process target process PID 880 wrote to memory of 1912 880 RKS7D5D6F_ETRANSFER_RECEIPT.exe cmd.exe PID 880 wrote to memory of 1912 880 RKS7D5D6F_ETRANSFER_RECEIPT.exe cmd.exe PID 880 wrote to memory of 1912 880 RKS7D5D6F_ETRANSFER_RECEIPT.exe cmd.exe PID 1912 wrote to memory of 3568 1912 cmd.exe schtasks.exe PID 1912 wrote to memory of 3568 1912 cmd.exe schtasks.exe PID 1912 wrote to memory of 3568 1912 cmd.exe schtasks.exe PID 880 wrote to memory of 3388 880 RKS7D5D6F_ETRANSFER_RECEIPT.exe cmd.exe PID 880 wrote to memory of 3388 880 RKS7D5D6F_ETRANSFER_RECEIPT.exe cmd.exe PID 880 wrote to memory of 3388 880 RKS7D5D6F_ETRANSFER_RECEIPT.exe cmd.exe PID 880 wrote to memory of 4316 880 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 880 wrote to memory of 4316 880 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 880 wrote to memory of 4316 880 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 880 wrote to memory of 4316 880 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 880 wrote to memory of 4316 880 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 880 wrote to memory of 4316 880 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 880 wrote to memory of 4316 880 RKS7D5D6F_ETRANSFER_RECEIPT.exe RegAsm.exe PID 2840 wrote to memory of 1732 2840 nhbyg.exe cmd.exe PID 2840 wrote to memory of 1732 2840 nhbyg.exe cmd.exe PID 2840 wrote to memory of 1732 2840 nhbyg.exe cmd.exe PID 1732 wrote to memory of 520 1732 cmd.exe schtasks.exe PID 1732 wrote to memory of 520 1732 cmd.exe schtasks.exe PID 1732 wrote to memory of 520 1732 cmd.exe schtasks.exe PID 2840 wrote to memory of 1304 2840 nhbyg.exe cmd.exe PID 2840 wrote to memory of 1304 2840 nhbyg.exe cmd.exe PID 2840 wrote to memory of 1304 2840 nhbyg.exe cmd.exe PID 2840 wrote to memory of 4060 2840 nhbyg.exe RegAsm.exe PID 2840 wrote to memory of 4060 2840 nhbyg.exe RegAsm.exe PID 2840 wrote to memory of 4060 2840 nhbyg.exe RegAsm.exe PID 2840 wrote to memory of 4060 2840 nhbyg.exe RegAsm.exe PID 2840 wrote to memory of 4060 2840 nhbyg.exe RegAsm.exe PID 2840 wrote to memory of 4060 2840 nhbyg.exe RegAsm.exe PID 2840 wrote to memory of 4060 2840 nhbyg.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RKS7D5D6F_ETRANSFER_RECEIPT.exe"C:\Users\Admin\AppData\Local\Temp\RKS7D5D6F_ETRANSFER_RECEIPT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\RKS7D5D6F_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 5363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 5403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4316 -ip 43161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4316 -ip 43161⤵
-
C:\Users\Admin\AppData\Roaming\nhbyg.exeC:\Users\Admin\AppData\Roaming\nhbyg.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\nhbyg.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\nhbyg.exeC:\Users\Admin\AppData\Roaming\nhbyg.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nhbyg.exe.logFilesize
520B
MD541c37de2b4598f7759f865817dba5f80
SHA1884ccf344bc2dd409425dc5ace0fd909a5f8cce4
SHA256427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc
SHA512a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd
-
C:\Users\Admin\AppData\Roaming\nhbyg.exeFilesize
300.0MB
MD57298a9ef42c45144a0caab46893fc9e3
SHA1809492d6628db6cb0af75ceb861ca209079029af
SHA256cd4000e6ed2eeeb0af7509cc6c74ea8d2ef08d5d6f6551aeebad6a96de57d7cd
SHA512ac95e369ed001e74b5c32cb94ac109f3b7c76b9c9dd82fd92c0569682589ccd94521599a7b03921a633c4668905a73ba87c9c7d5e31935d047f61c1284dd4459
-
C:\Users\Admin\AppData\Roaming\nhbyg.exeFilesize
300.0MB
MD57298a9ef42c45144a0caab46893fc9e3
SHA1809492d6628db6cb0af75ceb861ca209079029af
SHA256cd4000e6ed2eeeb0af7509cc6c74ea8d2ef08d5d6f6551aeebad6a96de57d7cd
SHA512ac95e369ed001e74b5c32cb94ac109f3b7c76b9c9dd82fd92c0569682589ccd94521599a7b03921a633c4668905a73ba87c9c7d5e31935d047f61c1284dd4459
-
C:\Users\Admin\AppData\Roaming\nhbyg.exeFilesize
178.9MB
MD5f808580d25c2b7be6cc1eeded41fa089
SHA1469a536ec985b22bb2d619409e5372044e934f13
SHA25670cfbc21b846a3cc272bdef136f832aa6d5376335d099f12d6e0091eed89c259
SHA512f135eb05f47d445c0af10a0c8f095c367f339ed2255dbe5a34c1841a4957a497df571b86d157a44cf93437c816b9bea04aa676a32df98dcf59840a3631b37968
-
memory/520-142-0x0000000000000000-mapping.dmp
-
memory/880-133-0x00000000063B0000-0x0000000006954000-memory.dmpFilesize
5.6MB
-
memory/880-130-0x0000000000DA0000-0x0000000000F34000-memory.dmpFilesize
1.6MB
-
memory/1304-143-0x0000000000000000-mapping.dmp
-
memory/1732-141-0x0000000000000000-mapping.dmp
-
memory/1912-131-0x0000000000000000-mapping.dmp
-
memory/3388-134-0x0000000000000000-mapping.dmp
-
memory/3568-132-0x0000000000000000-mapping.dmp
-
memory/4060-149-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4060-144-0x0000000000000000-mapping.dmp
-
memory/4060-145-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4060-146-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4060-147-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4060-148-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4060-150-0x0000000074BF0000-0x0000000074C29000-memory.dmpFilesize
228KB
-
memory/4060-151-0x0000000074F90000-0x0000000074FC9000-memory.dmpFilesize
228KB
-
memory/4060-152-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/4316-137-0x0000000000610000-0x00000000009F4000-memory.dmpFilesize
3.9MB
-
memory/4316-138-0x0000000000610000-0x00000000009F4000-memory.dmpFilesize
3.9MB
-
memory/4316-135-0x0000000000000000-mapping.dmp