General
-
Target
RFQ-PO821606.xlsx
-
Size
1.5MB
-
Sample
220617-hfrqhsdch4
-
MD5
e913764056bbcb4f8e3783aa660fa2e3
-
SHA1
d011075e2ba6249087aab85d9278967a120ae0d3
-
SHA256
97127c14c6267779a3ccde27dd5253645ad4a502095fa4c0f9156f32f13388ac
-
SHA512
d689cfeee3c305da33b9cca11ef17127294bee6df696ebbcbb3943881a5bd67f0f3f88e128ddcbbbd829b6558042ba7c8c848f644f9633d7680793f3edd4748d
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-PO821606.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ-PO821606.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
bitrat
1.38
stonecold.ddns.net:4812
-
communication_password
ac7b2a72c82f15c4898d6a8f05cab46b
-
tor_process
tor
Targets
-
-
Target
RFQ-PO821606.xlsx
-
Size
1.5MB
-
MD5
e913764056bbcb4f8e3783aa660fa2e3
-
SHA1
d011075e2ba6249087aab85d9278967a120ae0d3
-
SHA256
97127c14c6267779a3ccde27dd5253645ad4a502095fa4c0f9156f32f13388ac
-
SHA512
d689cfeee3c305da33b9cca11ef17127294bee6df696ebbcbb3943881a5bd67f0f3f88e128ddcbbbd829b6558042ba7c8c848f644f9633d7680793f3edd4748d
Score10/10-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-