Resubmissions

08-05-2023 11:36

230508-nq3tesad58 10

11-11-2021 12:24

211111-plhs5abcc8 8

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2023 11:36

General

  • Target

    99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe

  • Size

    11.7MB

  • MD5

    0013ee610f83b401007adbefef051305

  • SHA1

    f322e18219aa1abd91640b4d2b47fc1992068d16

  • SHA256

    99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff

  • SHA512

    27abdf3bd117cd85e18d633ddcb35586791cc7f41caf9797fdbdc726befd140c8dbd2a3a3a032581f1f20e226b6f29327a6f9892255ab6b69c27d1e13719fe5b

  • SSDEEP

    196608:f6/ssSAAdFmYR0BwJ6DOlmreNUbR8cTGVqdZtzQ4cXwokT0YETuhtNo2vwDYpmv+:f69sFmYR0CJ6UmCNUbR8uGotzSXjkMud

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

145.239.202.9:4598

Attributes
  • communication_password

    2ff037574f878c384918323c55e52186

  • tor_process

    tor

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

  • Babadeda Crypter 1 IoCs
  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe
    "C:\Users\Admin\AppData\Local\Temp\99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe
      "C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1624

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\Lang\it\Phototheca EULA.rtf

    Filesize

    5KB

    MD5

    9325aee138a4d9a15d651920fb403ffc

    SHA1

    19eb57cd989571fa8cd426cbd680430c0e006408

    SHA256

    9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35

    SHA512

    d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

  • C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

    Filesize

    6.2MB

    MD5

    ec538ff191a52b5ca9f67ae5d5d56908

    SHA1

    fb583f5953db1c0397859bb91afd5b0a5f6f366c

    SHA256

    358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1

    SHA512

    ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787

  • C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

    Filesize

    6.2MB

    MD5

    ec538ff191a52b5ca9f67ae5d5d56908

    SHA1

    fb583f5953db1c0397859bb91afd5b0a5f6f366c

    SHA256

    358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1

    SHA512

    ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787

  • C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\libfont-0.6.dll

    Filesize

    3.9MB

    MD5

    e653f13bf4b225f1c7dce0e6404fc52a

    SHA1

    6e2ba578d8c14967a5ff2abbcce67a0e732c43d9

    SHA256

    ce3758d494132e7bef7ea87bb8379bb9f4b0c82768d65881139e1ec1838f236c

    SHA512

    96ced8dae8fb070cbc0a476d1a0a50233cc47f56e3621603d06e89db8667f3a611037395be729e075b40406860b80cd0fc0eb22603706845a762e9b15ad75efd

  • C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\menu.xml

    Filesize

    7.7MB

    MD5

    bacfa288e5c0f18a8f2c94d208d7c760

    SHA1

    912bd515c26f794cc65fa066ac01216cc7d35893

    SHA256

    080340cb4ced8a16cad2131dc2ac89e1516d0ebe5507d91b3e8fb341bfcfe7d8

    SHA512

    329e88c703ede60b537a94cc4b64e890048552de05a4a26530a770ead698644d38c34ece53ee4027ecc994613465cba76d15a5c560d586b3579465bb2e17637a

  • \Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

    Filesize

    6.2MB

    MD5

    ec538ff191a52b5ca9f67ae5d5d56908

    SHA1

    fb583f5953db1c0397859bb91afd5b0a5f6f366c

    SHA256

    358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1

    SHA512

    ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787

  • \Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

    Filesize

    6.2MB

    MD5

    ec538ff191a52b5ca9f67ae5d5d56908

    SHA1

    fb583f5953db1c0397859bb91afd5b0a5f6f366c

    SHA256

    358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1

    SHA512

    ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787

  • \Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\libfont-0.6.dll

    Filesize

    3.9MB

    MD5

    e653f13bf4b225f1c7dce0e6404fc52a

    SHA1

    6e2ba578d8c14967a5ff2abbcce67a0e732c43d9

    SHA256

    ce3758d494132e7bef7ea87bb8379bb9f4b0c82768d65881139e1ec1838f236c

    SHA512

    96ced8dae8fb070cbc0a476d1a0a50233cc47f56e3621603d06e89db8667f3a611037395be729e075b40406860b80cd0fc0eb22603706845a762e9b15ad75efd

  • memory/1624-353-0x00000000012A0000-0x00000000018E3000-memory.dmp

    Filesize

    6.3MB

  • memory/1624-360-0x00000000012A0000-0x00000000018E3000-memory.dmp

    Filesize

    6.3MB

  • memory/1624-356-0x00000000012A0000-0x00000000018E3000-memory.dmp

    Filesize

    6.3MB

  • memory/1624-348-0x00000000012A0000-0x00000000018E3000-memory.dmp

    Filesize

    6.3MB

  • memory/1624-354-0x00000000012A0000-0x00000000018E3000-memory.dmp

    Filesize

    6.3MB

  • memory/1984-345-0x0000000002580000-0x0000000002590000-memory.dmp

    Filesize

    64KB

  • memory/1984-352-0x0000000000400000-0x000000000072F000-memory.dmp

    Filesize

    3.2MB

  • memory/1984-54-0x0000000000400000-0x000000000072F000-memory.dmp

    Filesize

    3.2MB

  • memory/1984-346-0x0000000003660000-0x0000000003CA3000-memory.dmp

    Filesize

    6.3MB

  • memory/1984-55-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB