Extracted

• • Target

    HF72635_893548000808485064520858459698040.exe

  • Size

    3.3MB

  • MD5

    77d0e1ade1b9df74c1867a0c2c42804d

  • SHA1

    2a8920cec1fab68c921d0c1b905aa777010b48e2

  • SHA256

    3074637eefee1662292e9240775d5b945fe66dc1a1183be8303cf51cce31e098

  • SHA512

    1de6b0afa33fd06e95d1f08965bc8c83600142336ed169d6f3175b545d53608c2d36cf5f6bd89dafff5fc12b0c45723771d0708fc2bcb43861f255b2f905c4b7

  • SSDEEP

    49152:3lSbJYtdTJX9C6xfZ02WDZ87KlpNiEx3nCXobhrWeMDP7OeOs+EaPzYfA1jyIs0U:RX9/ZiDZ8i3CXobhr8T7EF77fwIs0U

  Score

  10^/10

  bitratpersistencetrojanupx

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2