bitrat | 0dec26f0ed31eafa41f5141a4342f84f5245ba6d097904ed1fdb11a6df1ce606

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Agmyifoqpppqql.exe
Size

862KB
MD5

3ef0ccacab6da0cc01820bef21c54d16
SHA1

be6ad9046732a3e90272ddc7f561180fb003f909
SHA256

0dec26f0ed31eafa41f5141a4342f84f5245ba6d097904ed1fdb11a6df1ce606
SHA512

cd6810886e0fc82a7b7e4de2f81f9e8458676895511f24af4c332866af20482745557b40bc3ae8ce8d4958c6d8d40bd843ee17c46a7c56114c9cfdbba48f6593
SSDEEP

12288:fSj5lclcaywFMtTPWQOQSJU3FtJlpCBIUQZC2fRuHT6Kk/RqIkr:fSVKFp6rfn/VXPCyE2fMuqI

Score

10^/10

bitrat modiloader persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

su1d.nerdpol.ovh:2288

Attributes

communication_password
653d716345d8915046b904b90f41f271
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/4412-132-0x0000000002350000-0x000000000237B000-memory.dmp	modiloader_stage2

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4412-135-0x0000000010410000-0x00000000107F4000-memory.dmp	upx
behavioral2/memory/4412-136-0x0000000010410000-0x00000000107F4000-memory.dmp	upx
behavioral2/memory/4872-138-0x0000000010410000-0x00000000107F4000-memory.dmp	upx
behavioral2/memory/4872-139-0x0000000010410000-0x00000000107F4000-memory.dmp	upx
behavioral2/memory/4872-141-0x0000000010410000-0x00000000107F4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Agmyifoq = "C:\\Users\\Public\\Libraries\\qofiymgA.url"	Agmyifoqpppqql.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4872	colorcpl.exe
4872	colorcpl.exe
4872	colorcpl.exe
4872	colorcpl.exe
4872	colorcpl.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4412	Agmyifoqpppqql.exe
4412	Agmyifoqpppqql.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4872	colorcpl.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4872	colorcpl.exe
4872	colorcpl.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88
PID 4412 wrote to memory of 4872	4412	Agmyifoqpppqql.exe	88

C:\Users\Admin\AppData\Local\Temp\Agmyifoqpppqql.exe
"C:\Users\Admin\AppData\Local\Temp\Agmyifoqpppqql.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\SysWOW64\colorcpl.exe
  C:\Windows\System32\colorcpl.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4412-132-0x0000000002350000-0x000000000237B000-memory.dmp

Filesize
172KB

Download
memory/4412-135-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download
memory/4412-136-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download
memory/4872-138-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download
memory/4872-139-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download
memory/4872-140-0x0000000074D60000-0x0000000074D99000-memory.dmp

Filesize
228KB

Download
memory/4872-141-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download