Overview

overview

10

Static

static

68efb40ce0...67.zip

windows7_x64

1

68efb40ce0...67.zip

windows10-2004_x64

1

n3m18xb4m_Receipt.exe

windows7_x64

10

n3m18xb4m_Receipt.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    189s
  • max time network
    228s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    22-06-2022 09:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    n3m18xb4m_Receipt.exe

  • Size

    300.0MB

  • MD5

    600264e6c435659230d5e8fa5c461f8e

  • SHA1

    d73cccf02e3f6fe73c95b0760579091455036b4b

  • SHA256

    e03cb09284d307ffc4121661c8d6fc9c4451127cbd2616adcc638ff19de44831

  • SHA512

    26ad49be4f9e1f7c928af4be1c5b84a149e410a20cc12257225cb89753b98b6b38d669bb23527a3325d6783070359b12201c89498f5c169f36d7ef3e30f38dee

Score
10/10
bitrattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitranew3500.duckdns.org:3500

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\n3m18xb4m_Receipt.exe
    "C:\Users\Admin\AppData\Local\Temp\n3m18xb4m_Receipt.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1768
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 704
      2⤵
      • Program crash
      PID:1800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1288-54-0x0000000001120000-0x00000000012B2000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1288-55-0x0000000075F61000-0x0000000075F63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1288-56-0x0000000005490000-0x0000000005606000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1768-61-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1768-58-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1768-60-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1768-57-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1768-62-0x00000000007E2730-mapping.dmp
    Download
  • memory/1768-63-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1768-64-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1768-67-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1768-68-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1768-70-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1768-71-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1800-69-0x0000000000000000-mapping.dmp
    Download