Overview

overview

10

Static

static

newbithere...ds.exe

windows7-x64

10

newbithere...ds.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    02-09-2022 04:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    newbithere20054rfds.exe

  • Size

    300.0MB

  • MD5

    9edb373bba31ed74e5635c8ba1ccbc24

  • SHA1

    7826110d94ad641b3cbed3eaa1c4e1ab5e329e26

  • SHA256

    cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235

  • SHA512

    90c56b8545767b8b3b3292ebc71d4683b6ff0c2e0fc1135159357707bfb462878c8044eced0f6138e7771d3db3c6e8a1b363d7663fd3e5e50f46254f22ee54e4

  • SSDEEP

    24576:KQWUrKeG3ggoqRwkqbQsH50RPoE+G3ttsP2V4MM9obzQLAmLGAs4DyAunLw+6aI9:K2KtBCR3qP+JeO+/m6yDL9aITLUp

Score
10/10
bitrattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

newbithere.duckdns.org:2005

Attributes
  • communication_password

    827ccb0eea8a706c4c34a16891f84e7b

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Executes dropped EXE 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\newbithere20054rfds.exe
    "C:\Users\Admin\AppData\Local\Temp\newbithere20054rfds.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\pojhg.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\pojhg.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:1372
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\newbithere20054rfds.exe" "C:\Users\Admin\AppData\Roaming\pojhg.exe"
      2⤵
        PID:468
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:892
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {DB426783-242E-4BB6-B905-8EB5FEA65739} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:588
      • C:\Users\Admin\AppData\Roaming\pojhg.exe
        C:\Users\Admin\AppData\Roaming\pojhg.exe
        2⤵
        • Executes dropped EXE
        PID:972

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\pojhg.exe
      Filesize

      236.0MB

      MD5

      915edeb4da1231124dd4b48713a4909b

      SHA1

      91a1a296d8e1afcdd966d62469d5b3575077c63a

      SHA256

      f9b5c73e6aeb0c92e4911a4ab7286ce5b6fe133a2d7c02fd6f5f66e2606fd426

      SHA512

      8670adba615416068b996950d1ab2648fa08cf5955864bf2fbcb9a82468353da4048387a3483e772120c03114a62f475c2651ffd28ac1913638bd76f4bae7457

      Download Submit
    • C:\Users\Admin\AppData\Roaming\pojhg.exe
      Filesize

      240.2MB

      MD5

      b9cbb1e767466614af72cd7018f2fb67

      SHA1

      57606cb1ea053900b3a06d33b8d486485b06e23f

      SHA256

      d4014d31a86c0d1c1a6208cce6b536222ef12bde9c87b01627b89ca01db4c6fe

      SHA512

      9ff5381ba50d8fa93f4958aa2e99bfaf6ef5d53f4fc6dab2e21b098c78d8046fe34c0d87ed5e5429c3af4d625a0ec6972836bfea3990741240fd1827178555bc

      Download Submit
    • memory/468-58-0x0000000000000000-mapping.dmp
      Download
    • memory/892-65-0x0000000000400000-0x00000000007E4000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/892-69-0x0000000000400000-0x00000000007E4000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/892-59-0x0000000000400000-0x00000000007E4000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/892-60-0x0000000000400000-0x00000000007E4000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/892-62-0x0000000000400000-0x00000000007E4000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/892-63-0x0000000000400000-0x00000000007E4000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/892-64-0x00000000007E2730-mapping.dmp
      Download
    • memory/892-72-0x0000000000400000-0x00000000007E4000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/892-66-0x0000000000400000-0x00000000007E4000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/892-71-0x0000000000400000-0x00000000007E4000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/892-70-0x0000000000400000-0x00000000007E4000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/972-74-0x0000000000000000-mapping.dmp
      Download
    • memory/972-76-0x0000000000300000-0x0000000000492000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1372-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1784-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1900-54-0x0000000000870000-0x0000000000A02000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1900-55-0x00000000759F1000-0x00000000759F3000-memory.dmp
      Filesize

      8KB

      Download