Overview

overview

10

Static

static

3

Email Extr...ed.exe

windows7-x64

10

Email Extr...ed.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AgADsgEAAk2gOEc-Email Extractor 7.2.3.1_ cracked.exe.zip

  • Size

    139.3MB

  • Sample

    230526-awmshadg2z

  • MD5

    3a1f4fe3e7a892c50750f13b6e12eec6

  • SHA1

    0aa8b50439214774ad98f87652a7a17ed1bee157

  • SHA256

    29ed1b4d59d13877c2543bcbf8fed3d360d39ec14e5b785a4fdf749c646a1fe1

  • SHA512

    8289e12fc5b02dcd4e23d2aa2ee27cefbc1e6d300a4d94afa30e9013bb44c8b33494895164016dd3bc4bb53ca622ca3fe90ce9e38c32303418bae9fafc2b17de

  • SSDEEP

    3145728:HXu05zhqUn23VQz+nAu6MsHg21ZNtSxkD8UE+gSt0cGybXjYH+:HXu0KM2dnAy521ZNtSxkD8U+u0cBbXjD

Score
10/10
bitratpersistencetrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

rproxy.wefriendsright.xyz:8092

Attributes
  • communication_password

    1e211f38968f4e2faae85d9096210761

  • install_dir

    ms

  • install_file

    dwm.exe

  • tor_process

    tor

Targets

    • Target

      Email Extractor 7.2.3.1_ cracked.exe

    • Size

      141.5MB

    • MD5

      987173e25c40794526c0209220e45c0b

    • SHA1

      0671fd2d1262c186536beeed5900b777e04814ac

    • SHA256

      0be090ccf16640b5a2aa4a7333dd10b68198fac8cc9e584b68055482cfe59719

    • SHA512

      cbd2917f25c4a69724c52e6fb7443cf9ce7003c32cafa016e3f0043f7e102ec09144ed9ec1650290def3f64e0cb863e90592fc7241b19291a3c66062785d38ec

    • SSDEEP

      3145728:YVOeRb7DSPN06pi+E0eza3QCUQP3drqOaCKvv3iwlOSrCZq9czaMe:YVOeVA06pszaDb/drqOaCKvv3iwsgCkL

    Score
    10/10
    bitratpersistencetrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks