Extracted

• • Target

    8b941106c15c86f683f9c7420254be7079959c27b096e039e7cdc4a76120cc91

  • Size

    8.0MB

  • MD5

    6f4a7cf18cc2687f7a1c8c4960d0e090

  • SHA1

    eeb4a11a96dfd70d740ce52dba408a9650e58e85

  • SHA256

    8b941106c15c86f683f9c7420254be7079959c27b096e039e7cdc4a76120cc91

  • SHA512

    a678b537e5a2a61df68acf67ad4e2eba5aec67ec1da9cc1d45d11d35b69473606abea8d91700123330ac6b0f37a1a8e11202b1b2fc38e6c2d2db3aa5a9521ffa

  • SSDEEP

    196608:N5JBCkq3tRhyL12aBcgjwikRpe+WsHZSyuf9E4:lBCkAVyLT+ndLbuF

  Score

  10^/10

  bitratevasiontrojanupx

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat

  • Modifies security service

    evasion

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Executes dropped EXE

  • Looks for VMWare Tools registry key

    evasion

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2