Analysis

  • max time kernel
    177s
  • max time network
    200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 15:21

General

  • Target

    Ahsbytgmuhjvbo.exe

  • Size

    1010KB

  • MD5

    2806e80a494fbf0977dc9e18999f6cc8

  • SHA1

    35d892ec891da46a0592d2cfebcc3afb4f67ee6e

  • SHA256

    16ba74e590acbf2a285ae1e15864ef7cdeff576542f0f430ab83481ea52b729a

  • SHA512

    3cc0b75728fabc71245ecd2d801cb2ed088b2078e3c7e223f791096cf4cd149a007fe33978a626fafea31c48d63f6efe071db8fa2dd4012e0b5e4a45a2db1749

  • SSDEEP

    24576:owfXt2qCbasU3cyK9pNhMhtrjxLF7Zl/ronBb5:oEcO+9bh+1lLF3MnBb

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

su1d.nerdpol.ovh:2288

Attributes
  • communication_password

    653d716345d8915046b904b90f41f271

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ahsbytgmuhjvbo.exe
    "C:\Users\Admin\AppData\Local\Temp\Ahsbytgmuhjvbo.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\SysWOW64\wscript.exe
      C:\Windows\System32\wscript.exe
      2⤵
        PID:1288

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1288-139-0x0000000010410000-0x00000000107F4000-memory.dmp

      Filesize

      3.9MB

    • memory/1288-140-0x0000000010410000-0x00000000107F4000-memory.dmp

      Filesize

      3.9MB

    • memory/1444-133-0x0000000002340000-0x000000000236B000-memory.dmp

      Filesize

      172KB

    • memory/1444-136-0x0000000010410000-0x00000000107F4000-memory.dmp

      Filesize

      3.9MB

    • memory/1444-137-0x0000000010410000-0x00000000107F4000-memory.dmp

      Filesize

      3.9MB