Overview

overview

10

Static

static

ANANOHYJ-P...PT.exe

windows7-x64

10

ANANOHYJ-P...PT.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2022 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ANANOHYJ-PAYMENT-RECEIPT.exe

  • Size

    300.0MB

  • MD5

    dba3209d9c78a3bf216ba69f483af62c

  • SHA1

    68b017f099f31c1e631283007cfa25513d2ae924

  • SHA256

    e2ada17298bdb93977b0f7c57907bc7077437c43b813d8ba3e81f2e93b3bec5d

  • SHA512

    42b5d35c9d0f43ce2e438bda6e686b57ec906ab2588ed0f5862948134e73c8e1649d1f895d46dcea58147523861ac1faa7669fb4c0b7d3d30586bbf07ad82ef7

Score
10/10
bitrattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Executes dropped EXE 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ANANOHYJ-PAYMENT-RECEIPT.exe
    "C:\Users\Admin\AppData\Local\Temp\ANANOHYJ-PAYMENT-RECEIPT.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2024
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wdfvbn"
      2⤵
        PID:1728
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wdfvbn\wdfvbn.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:888
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wdfvbn\wdfvbn.exe'" /f
          3⤵
          • Creates scheduled task(s)
          PID:1208
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\ANANOHYJ-PAYMENT-RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\wdfvbn\wdfvbn.exe"
        2⤵
          PID:860
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {BAACDDCB-D792-4C75-A3BC-3D45CA1356BF} S-1-5-21-4084403625-2215941253-1760665084-1000:LDLTPJLN\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:664
        • C:\Users\Admin\AppData\Roaming\wdfvbn\wdfvbn.exe
          C:\Users\Admin\AppData\Roaming\wdfvbn\wdfvbn.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1072

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\wdfvbn\wdfvbn.exe
        Filesize

        300.0MB

        MD5

        dba3209d9c78a3bf216ba69f483af62c

        SHA1

        68b017f099f31c1e631283007cfa25513d2ae924

        SHA256

        e2ada17298bdb93977b0f7c57907bc7077437c43b813d8ba3e81f2e93b3bec5d

        SHA512

        42b5d35c9d0f43ce2e438bda6e686b57ec906ab2588ed0f5862948134e73c8e1649d1f895d46dcea58147523861ac1faa7669fb4c0b7d3d30586bbf07ad82ef7

        Download Submit

      • C:\Users\Admin\AppData\Roaming\wdfvbn\wdfvbn.exe
        Filesize

        300.0MB

        MD5

        dba3209d9c78a3bf216ba69f483af62c

        SHA1

        68b017f099f31c1e631283007cfa25513d2ae924

        SHA256

        e2ada17298bdb93977b0f7c57907bc7077437c43b813d8ba3e81f2e93b3bec5d

        SHA512

        42b5d35c9d0f43ce2e438bda6e686b57ec906ab2588ed0f5862948134e73c8e1649d1f895d46dcea58147523861ac1faa7669fb4c0b7d3d30586bbf07ad82ef7

        Download Submit

      • memory/860-68-0x0000000000000000-mapping.dmp

        Download

      • memory/888-67-0x0000000000000000-mapping.dmp

        Download

      • memory/1072-75-0x00000000002F0000-0x00000000004B2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1072-73-0x0000000000000000-mapping.dmp

        Download

      • memory/1208-69-0x0000000000000000-mapping.dmp

        Download

      • memory/1420-55-0x0000000075481000-0x0000000075483000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1420-54-0x0000000000CE0000-0x0000000000EA2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1728-66-0x0000000000000000-mapping.dmp

        Download

      • memory/2024-60-0x0000000000400000-0x00000000007E4000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2024-64-0x0000000000400000-0x00000000007E4000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2024-63-0x0000000000400000-0x00000000007E4000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2024-62-0x0000000000400000-0x00000000007E4000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2024-70-0x0000000000400000-0x00000000007E4000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2024-71-0x0000000000400000-0x00000000007E4000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2024-61-0x00000000007E2730-mapping.dmp

        Download

      • memory/2024-59-0x0000000000400000-0x00000000007E4000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2024-57-0x0000000000400000-0x00000000007E4000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2024-56-0x0000000000400000-0x00000000007E4000-memory.dmp

        Filesize

        3.9MB

        Download