Extracted

• • Target

    SecuriteInfo.com.NSIS.Injector.D943.tr.16244.7621.exe

  • Size

    151KB

  • MD5

    97e26a93aabb91fe523c940d069cd36d

  • SHA1

    a3fae89469afa1f92c5d9555befe358d0f4e32cb

  • SHA256

    f64867f77643510bf87fa88977ca080e99fa33f4a5c9eb95ce698fdaa7a36b5c

  • SHA512

    ea4c6356f86d0fe776ac98cefb6dd42c2d9e6c740fc344dab497c427708ecea0191ad6852bfdd200bbd6265f547a6b77ab3e53180da42ea9ffe9fe9d41e9fa85

  • SSDEEP

    3072:lgsmet6LIYizu+/bKZwZzpDaHM+Hov3wqEzXD4cJt84ImR771Vqz/BxP:G4t6Ls1BzyZHIaD4qt84IG7nqVxP

  Score

  10^/10

  discoverybitratpersistencetrojanupx

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks QEMU agent file

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2