Extracted

• • Target

    f15a04700bdbd82234a324ea9d0eb5c2

  • Size

    7.8MB

  • MD5

    f15a04700bdbd82234a324ea9d0eb5c2

  • SHA1

    8ea6e761e8b24a6eb23e0b59a59e7afda10e0053

  • SHA256

    6225733d751641ed48c78e200c761961aa6f01947e5c7fef79729fb7a1b3795b

  • SHA512

    5de8361b7c010f5f8b67db80b0856182531250e15833c2443184ee72bbc7f040200ca9f74a5c897da97cd9f73fd47e17714b32ed5dff6d460c0bed2a3501cab1

  • SSDEEP

    196608:oIRcbH4jSteTGvjxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:odHsfujxwZ6v1CPwDv3uFteg2EeJUO9E

  Score

  10^/10

  bitratpersistencetrojanupx

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat

  • ACProtect 1.3x - 1.4x DLL software

    Detects file using ACProtect software.

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2