Analysis
-
max time kernel
150s -
max time network
169s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
22-10-2022 06:40
General
-
Target
d76d0c80f55b69dc7c4622a3166d4b7a170c28e939bc052e11fcbdb056ef1239.exe
-
Size
1.9MB
-
MD5
ddc3e1356b7807146d75a4eee20f96dd
-
SHA1
7499a3593d4308a2208c01e766fddbf93954c61e
-
SHA256
d76d0c80f55b69dc7c4622a3166d4b7a170c28e939bc052e11fcbdb056ef1239
-
SHA512
250e6b7816d000a40bb272a274490325a59a87dce55b9705b65ef4e9f7c81344b93a4c2bf5125f23928f81c36231645197efcaa266c79dc07e2cf44fbf996663
-
SSDEEP
49152:GzSJh0i1ZvjqB0LNlFRx9BWcWIqEBddvw:GgjvjqQR5WcWIqab
Malware Config
Extracted
bitrat
1.38
gh9st.mywire.org:5005
-
communication_password
803355ca422bf9b37bc523a750e21842
-
install_dir
svcsvc
-
install_file
svcsvc.exe
-
tor_process
tor
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: RenamesItself 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d76d0c80f55b69dc7c4622a3166d4b7a170c28e939bc052e11fcbdb056ef1239.exe"C:\Users\Admin\AppData\Local\Temp\d76d0c80f55b69dc7c4622a3166d4b7a170c28e939bc052e11fcbdb056ef1239.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d76d0c80f55b69dc7c4622a3166d4b7a170c28e939bc052e11fcbdb056ef1239.exe"C:\Users\Admin\AppData\Local\Temp\d76d0c80f55b69dc7c4622a3166d4b7a170c28e939bc052e11fcbdb056ef1239.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\svcsvc\svcsvc.exe-a "C:\Users\Admin\AppData\Local\5d3b845b\plg\jTBBdMBW.json"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\svcsvc\svcsvc.exe-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 10322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 10202⤵
- Program crash
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
1.9MB
MD5ddc3e1356b7807146d75a4eee20f96dd
SHA17499a3593d4308a2208c01e766fddbf93954c61e
SHA256d76d0c80f55b69dc7c4622a3166d4b7a170c28e939bc052e11fcbdb056ef1239
SHA512250e6b7816d000a40bb272a274490325a59a87dce55b9705b65ef4e9f7c81344b93a4c2bf5125f23928f81c36231645197efcaa266c79dc07e2cf44fbf996663
-
Filesize
1.9MB
MD5ddc3e1356b7807146d75a4eee20f96dd
SHA17499a3593d4308a2208c01e766fddbf93954c61e
SHA256d76d0c80f55b69dc7c4622a3166d4b7a170c28e939bc052e11fcbdb056ef1239
SHA512250e6b7816d000a40bb272a274490325a59a87dce55b9705b65ef4e9f7c81344b93a4c2bf5125f23928f81c36231645197efcaa266c79dc07e2cf44fbf996663
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
5.7MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
5.7MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
3.8MB
-
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
3.8MB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
3.8MB
-
Filesize
232KB
-
-
Filesize
4.9MB
-
Filesize
4.9MB