Overview

overview

10

Static

static

b8e41e942a...2c.exe

windows7-x64

10

b8e41e942a...2c.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    168s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2023 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8e41e942aa1da72e79abe17a2b53bd711302372c53d598b5acf7bb507c5db2c.exe

  • Size

    3.9MB

  • MD5

    3930ae2afd78cebd07ee522014f942bc

  • SHA1

    c074738840116989c397e776f6765a7d2b05090c

  • SHA256

    b8e41e942aa1da72e79abe17a2b53bd711302372c53d598b5acf7bb507c5db2c

  • SHA512

    df24b7edfd9d402f906f30eba48a3b8f4adfc3441ac4132faaca5cace1103e4e3ebc59d0f3eac9fb4908d94773e9b982dcee733079be2ec8865b40fe3b5ac2c3

  • SSDEEP

    98304:glSQqo5yaawMonJBQ0vaQpcj9qAauBaj/S3+39Uox68a7x:aqKysMoJC+Hajacaj/SIx6l7x

Score
10/10
bitratpersistencetrojan

Malware Config

Extracted

Family

bitrat

Version

1.34

C2

37.46.150.134:8899

Attributes
  • communication_password

    19725ba371ae91990ff07d0f95218af7

  • install_dir

    {WinAPIN}

  • install_file

    WinAPINHelper.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8e41e942aa1da72e79abe17a2b53bd711302372c53d598b5acf7bb507c5db2c.exe
    "C:\Users\Admin\AppData\Local\Temp\b8e41e942aa1da72e79abe17a2b53bd711302372c53d598b5acf7bb507c5db2c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Users\Admin\AppData\Local\Temp\b8e41e942aa1da72e79abe17a2b53bd711302372c53d598b5acf7bb507c5db2c.exe
      "C:\Users\Admin\AppData\Local\Temp\b8e41e942aa1da72e79abe17a2b53bd711302372c53d598b5acf7bb507c5db2c.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1756

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1352-56-0x0000000000C7E000-0x0000000000C83000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1352-69-0x00000000003F0000-0x00000000003F7000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1756-68-0x0000000000689A84-mapping.dmp

    Download

  • memory/1756-70-0x0000000000400000-0x00000000007CD000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1756-71-0x0000000075601000-0x0000000075603000-memory.dmp

    Filesize

    8KB

    Download