Overview

overview

10

Static

static

43_85_73_parsed.exe

windows7-x64

10

43_85_73_parsed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-10-2022 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43_85_73_parsed.exe

  • Size

    3.0MB

  • MD5

    bd22be1e69a4239d389fe343129eb48d

  • SHA1

    4bff5aac0df64899f90172ab1af8783881d3d0d9

  • SHA256

    ddd8dd0b708e17bc9e76db79925f69b12259ae08b5a1e812a5abc4bdc38e8c3d

  • SHA512

    603c8c2986f07c214d6b88ce95fcd34dcb71970adb288db981bb073d774537b34d23dcd80a718d639838d350f39de09fee0459b88fdad3d7fdfbba24a7710899

  • SSDEEP

    49152:sOQ2JptNdkDY3CZHqmwDpu2qNd6T4o427WJUf8gZaDTl4i44A1eSAiEHk1VYZPrE:sCTNdfCZKmsqcT4sCi8gZW5iR1bggSZQ

Score
10/10
bitrattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitone9090.duckdns.org:9090

bit9090.duckdns.org:9090
Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Executes dropped EXE 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43_85_73_parsed.exe
    "C:\Users\Admin\AppData\Local\Temp\43_85_73_parsed.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hygt.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4508
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hygt.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:2100
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\43_85_73_parsed.exe" "C:\Users\Admin\AppData\Roaming\hygt.exe"
      2⤵
        PID:4864
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:5112
      • C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe
        "C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4028
    • C:\Users\Admin\AppData\Roaming\hygt.exe
      C:\Users\Admin\AppData\Roaming\hygt.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hygt.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4308
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hygt.exe'" /f
          3⤵
          • Creates scheduled task(s)
          PID:4896
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c copy "C:\Users\Admin\AppData\Roaming\hygt.exe" "C:\Users\Admin\AppData\Roaming\hygt.exe"
        2⤵
          PID:1208
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of AdjustPrivilegeToken
          PID:1776

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Scripting

      1
      T1064

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe
        Filesize

        1.4MB

        MD5

        d2d601c4f27a42233076ebc6e05f07f0

        SHA1

        5a0b561f883b88ca3d4d9bdba5143f103ea83d14

        SHA256

        dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

        SHA512

        f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe
        Filesize

        1.4MB

        MD5

        d2d601c4f27a42233076ebc6e05f07f0

        SHA1

        5a0b561f883b88ca3d4d9bdba5143f103ea83d14

        SHA256

        dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

        SHA512

        f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

        Download Submit
      • C:\Users\Admin\AppData\Roaming\hygt.exe
        Filesize

        3.0MB

        MD5

        bd22be1e69a4239d389fe343129eb48d

        SHA1

        4bff5aac0df64899f90172ab1af8783881d3d0d9

        SHA256

        ddd8dd0b708e17bc9e76db79925f69b12259ae08b5a1e812a5abc4bdc38e8c3d

        SHA512

        603c8c2986f07c214d6b88ce95fcd34dcb71970adb288db981bb073d774537b34d23dcd80a718d639838d350f39de09fee0459b88fdad3d7fdfbba24a7710899

        Download Submit
      • C:\Users\Admin\AppData\Roaming\hygt.exe
        Filesize

        3.0MB

        MD5

        bd22be1e69a4239d389fe343129eb48d

        SHA1

        4bff5aac0df64899f90172ab1af8783881d3d0d9

        SHA256

        ddd8dd0b708e17bc9e76db79925f69b12259ae08b5a1e812a5abc4bdc38e8c3d

        SHA512

        603c8c2986f07c214d6b88ce95fcd34dcb71970adb288db981bb073d774537b34d23dcd80a718d639838d350f39de09fee0459b88fdad3d7fdfbba24a7710899

        Download Submit
      • memory/1208-156-0x0000000000000000-mapping.dmp
        Download
      • memory/1744-135-0x0000000005EC0000-0x0000000006464000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1744-132-0x0000000000A20000-0x0000000000D1C000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1776-163-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/1776-162-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/1776-157-0x0000000000000000-mapping.dmp
        Download
      • memory/2100-134-0x0000000000000000-mapping.dmp
        Download
      • memory/4028-146-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/4028-151-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/4028-149-0x0000000074E30000-0x0000000074E69000-memory.dmp
        Filesize

        228KB

        Download
      • memory/4028-143-0x0000000000000000-mapping.dmp
        Download
      • memory/4308-154-0x0000000000000000-mapping.dmp
        Download
      • memory/4508-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4864-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4896-155-0x0000000000000000-mapping.dmp
        Download
      • memory/5112-140-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/5112-150-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/5112-139-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/5112-148-0x00000000750A0000-0x00000000750D9000-memory.dmp
        Filesize

        228KB

        Download
      • memory/5112-147-0x0000000074D00000-0x0000000074D39000-memory.dmp
        Filesize

        228KB

        Download
      • memory/5112-138-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/5112-137-0x0000000000000000-mapping.dmp
        Download
      • memory/5112-141-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/5112-142-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/5112-164-0x0000000074D00000-0x0000000074D39000-memory.dmp
        Filesize

        228KB

        Download