Overview

overview

10

Static

static

XLL-EXCEL-...on.vbs

windows10-2004-x64

1

XLL-EXCEL-...ml.vbs

windows10-2004-x64

1

XLL-EXCEL-...fo.bat

windows10-2004-x64

10

XLL-EXCEL-...es.vbs

windows10-2004-x64

1

XLL-EXCEL-...ls.scr

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XLL-EXCEL-EXPLOIT--main.zip

  • Size

    33KB

  • Sample

    220918-w69kxafebp

  • MD5

    c31e5ee554310f6b53daf5dbf473f971

  • SHA1

    35dcb804c308004d9de887a7b089cddadfee8d41

  • SHA256

    86ea220b5f1a142c4e7442f11d80bae12d158a1427de8b32afa34912685b4ce0

  • SHA512

    4f2a9a9ea0444c44cb6cc533f128e9882c8aca041f600b7f59b22e63159ac0c5e6aee3634ebf633d7ab72ac3cd8a1bdcb2875ec06928ddd3fa567a01be9f5341

  • SSDEEP

    768:da/kqw3bsyRqxsQR8wwAihYnFyNtPthQDRA9:dabcHMCZAgYFY9J

Score
10/10
bitratevasiontrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://asamyz.com/ini.exe

Extracted

Family

bitrat

Version

1.38

C2

wwww.ddnsgeek.com:59599

Attributes
  • communication_password

    32c93a52f919c37c05b22825e5a57a4a

  • tor_process

    tor

Targets

    • Target

      XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/Icon.vb

    • Size

      6KB

    • MD5

      02c3d7634bda745586e518ebb6d4c573

    • SHA1

      5c0e072de24ab01cc2c2388546fdc1c47b95d693

    • SHA256

      1eed5f867361bd7afcdab9bc27df0677848f3a37ea9cf7d3b695d6585895d5b2

    • SHA512

      e6fc78c83c0c3e2709b14238624739460673a33f39dd045bf3a2c0c8992018cd86af1e228e780eb5585fb6d4e4c81dd906e203d91ba69a8cfce0f96ab3ced211

    • SSDEEP

      192:UTmNrTOky/9ggh+zyp50CiQW7jqDyKyE/vqEbdOyYJj+jDmMw:ZNrTO7/9g2+zyp5ViQW7jqDSE/vqExOn

    Score
    1/10
    behavioral1

    • Target

      XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/MainWindow.xaml.vb

    • Size

      4KB

    • MD5

      d9a7d2413643c13d6c622810861eeb07

    • SHA1

      6392ed80ec3c215b55029c5fae0bee4ff7036667

    • SHA256

      befd6bca6e67decc2712f4eb3b466ea2870eca8b1e3c497f7a552755ea0f3c91

    • SHA512

      ced16ecb7dd0e552780a26bff09f1d64ba0f586f004b586d22726ab92183afe0cef939d10b8eee9383c9a4d4baac367db93192102bf4f2d2bd3b64f77310354d

    • SSDEEP

      96:PgL70cYYfw+tuF/yqWWdLZi8hmfbt+BuzZNqWiT+yzQ:CYYf/tC/ybS2t+BuzZniNQ

    Score
    1/10
    behavioral2

    • Target

      XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/packages/info.bat

    • Size

      5KB

    • MD5

      6029bfd4036c00fc9abb4decf00163d7

    • SHA1

      f0483462eb8bce5ba67bb08c420cbea4437dd066

    • SHA256

      a795f07f8bd65437d65ac3431fcd3e45c92f741bb9b4e24183267533a79a0b2f

    • SHA512

      3854c0a6f3552056bd11456843ecc4cd36cfbbf41172278f90df3ac0416a762113d791b348cbedb7b7efff31656ca3abc73e629f5477b2bb61c881287bcccb41

    • SSDEEP

      96:hwB9ZsSwiv/DZL7CCUkltOL3eOlZ8n6P19dHdRgbVwTnHApiDMUV:hqwg/cC9OL3eOlZ99dHdRg+TnHn

    Score
    10/10
    bitratevasiontrojan

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • UAC bypass

      evasiontrojan

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3

    • Target

      XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/projectrcs/Resources.resx

    • Size

      5KB

    • MD5

      c07716633f086d91759ae32a18996a1a

    • SHA1

      bf3383c20acf6e64ce49f120938456161e5f6cb9

    • SHA256

      4e124f5a7694ffe813c60601b1b73c53e47536b1f1c0e798d4d55bfc2ca3774f

    • SHA512

      c6ad0ec603ff69d2d1b787db9426f29d44ea1ba45cf1d2b7ec41cc2bd6d5c93af8d2299139cc1c5d10d56718f36daa37d544f8d5411fad91a72efc2e70454cdf

    • SSDEEP

      96:ECf+lbD5X5LPXCazYV5Lv6K6uOidfaxwsxuUPFE3qxdRMvDTursrbLAy202W:Zf+tLPfYnLvFVOiFQaUR6

    Score
    1/10
    behavioral4

    • Target

      XLL-EXCEL-EXPLOIT--main/XLL EXCEL EXPLOIT/project‮nls.scr

    • Size

      90KB

    • MD5

      f257db29d0439adc56190a15a6336b90

    • SHA1

      7e974d2a767fa11832a0ae08f490d26ad552aebb

    • SHA256

      21e2dbf71e3f8f5c26914792ef4889d7a85cba85420e467917e7f1bd4ee56dd0

    • SHA512

      8503c5e71cb6e9232527431a527b21dccd0d60baa1b69e560a334b2d7a682cd51c8e21942e83e1d1202426fd7434e88da9c7197420ed116c4780e78ef49a4dbe

    • SSDEEP

      96:/WKqcNOUKaSG7BzIIt//JROTTcliIG8xmmPM+MSpiME7zGM62l1FsfjvKZtttttz:/W0NOUKaFvaAmH762nmK89u1

    Score
    10/10
    bitratevasiontrojan

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • UAC bypass

      evasiontrojan

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

2
T1053

Persistence

Hidden Files and Directories

4
T1158

Scheduled Task

2
T1053

Privilege Escalation

Bypass User Account Control

2
T1088

Scheduled Task

2
T1053

Defense Evasion

Bypass User Account Control

2
T1088

Disabling Security Tools

2
T1089

Modify Registry

4
T1112

Hidden Files and Directories

4
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks