Overview

overview

10

Static

static

10

44e041dc2e...39.exe

windows7-x64

10

44e041dc2e...39.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2022 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44e041dc2e445fcd33cc89b8453d0539.exe

  • Size

    1.4MB

  • MD5

    44e041dc2e445fcd33cc89b8453d0539

  • SHA1

    99faf5ac243f30d7041e7018f41490023b552f60

  • SHA256

    707ce4ec41a0a919739998e1260e50eb8eca2808ee69df64b07a5e985d1068ad

  • SHA512

    893019fd4b969250464a551bdeb0fc050da5bc82f1680b5ef116e8cc43b2e0b4088ec351f91d0d4b379ffd61fb32a02a34ea11fb94ca35fc4ed064dda021bf18

Score
10/10
bitrattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

trotox.duckdns.org:55441

Attributes
  • communication_password

    4b49ee1f55b1900518dfb23fd2d7c702

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44e041dc2e445fcd33cc89b8453d0539.exe
    "C:\Users\Admin\AppData\Local\Temp\44e041dc2e445fcd33cc89b8453d0539.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Windows\System32\fodhelper.exe
      "C:\Windows\System32\fodhelper.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Users\Admin\AppData\Local\Temp\44e041dc2e445fcd33cc89b8453d0539.exe
        "C:\Users\Admin\AppData\Local\Temp\44e041dc2e445fcd33cc89b8453d0539.exe" -uac 3736
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        PID:4812
    • C:\Windows\System32\fodhelper.exe
      "C:\Windows\System32\fodhelper.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Users\Admin\AppData\Local\Temp\44e041dc2e445fcd33cc89b8453d0539.exe
        "C:\Users\Admin\AppData\Local\Temp\44e041dc2e445fcd33cc89b8453d0539.exe" -uac 3736
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4232
    • C:\Windows\System32\fodhelper.exe
      "C:\Windows\System32\fodhelper.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4512
      • C:\Users\Admin\AppData\Local\Temp\44e041dc2e445fcd33cc89b8453d0539.exe
        "C:\Users\Admin\AppData\Local\Temp\44e041dc2e445fcd33cc89b8453d0539.exe" -uac 3736
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        PID:4808

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2936-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3736-140-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/3736-131-0x00000000751E0000-0x0000000075219000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3736-132-0x0000000075560000-0x0000000075599000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3736-133-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/3736-130-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/3736-141-0x00000000751E0000-0x0000000075219000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4232-145-0x0000000075280000-0x00000000752B9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4232-138-0x0000000000000000-mapping.dmp
    Download
  • memory/4232-150-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/4232-149-0x0000000075210000-0x0000000075249000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4232-143-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/4512-136-0x0000000000000000-mapping.dmp
    Download
  • memory/4524-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4808-144-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/4808-146-0x0000000075280000-0x00000000752B9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4808-147-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/4808-137-0x0000000000000000-mapping.dmp
    Download
  • memory/4812-142-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/4812-148-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/4812-139-0x0000000000000000-mapping.dmp
    Download