Overview

overview

10

Static

static

1

Predictor ....9.exe

windows10-1703-x64

10

Predictor ....9.exe

windows10-2004-x64

10

Resubmissions

21-08-2023 15:40

230821-s39vqadh37 10

11-08-2023 19:23

230811-x36khsac6w 10

Analysis

  • max time kernel
    596s
  • max time network
    391s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-08-2023 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Predictor V6.3/Predictor V6.3.9.exe

  • Size

    658KB

  • MD5

    ab63396cb0774ac41107b7b112f81d5a

  • SHA1

    f5dc67429147e886b01413472496576a2ee34075

  • SHA256

    9a43c57f3e98bd69789e8ccbeef2c1b6b5a3b1d06d63257bb4bd58dffa23689d

  • SHA512

    2121961ae2b154ba941af6937d0522505ec7e323094fb2edc7058194ae958bcf866bbbc7842924236b8635917800d0708eaabff6112f131f496189bb6e021699

  • SSDEEP

    12288:BKwp3N7HPqUeL31VI1kR8BgrsEofzwHJem7OzwHJe0IhfiZ:swp97HyUeLFVIuRCgrsEorwpemIwpels

Score
10/10
bitrattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

185.157.162.126:443

Attributes
  • communication_password

    a76d949640a165da25ccfe9a8fd82c8a

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Predictor V6.3\Predictor V6.3.9.exe
    "C:\Users\Admin\AppData\Local\Temp\Predictor V6.3\Predictor V6.3.9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4804
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • NTFS ADS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\533a577f
    Filesize

    4.2MB

    MD5

    d9a995ee7041126832c9088c03e68288

    SHA1

    3e0ad7a71c4b5976013b946a5c075a94c2660685

    SHA256

    0bf219d88b2db83fc8f2d31e249aca03b02b4f4ef9ce175c05f36ac45ff61517

    SHA512

    ab79f3ddc63e138c99bae2949edfb2d8b739bb67c4147931517c5baacb68961e3c973e560c3d59383dde16ba97170fc85af4a10016add3d6d7b4562b1c7c95a7

    Download Submit

  • memory/4184-117-0x00007FFCE9BE0000-0x00007FFCEB28E000-memory.dmp

    Filesize

    22.7MB

    Download

  • memory/4804-120-0x00007FFD07570000-0x00007FFD0774B000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4840-132-0x00000000719B0000-0x00000000719EA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4840-134-0x0000000002C00000-0x0000000002FCE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4840-128-0x00000000002C0000-0x00000000006FF000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/4840-129-0x0000000002C00000-0x0000000002FCE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4840-131-0x0000000071B00000-0x0000000071B3A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4840-123-0x00007FFD07570000-0x00007FFD0774B000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4840-133-0x0000000002C00000-0x0000000002FCE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4840-124-0x0000000002C00000-0x0000000002FCE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4840-135-0x0000000002C00000-0x0000000002FCE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4840-141-0x0000000071B00000-0x0000000071B3A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4840-142-0x00000000719B0000-0x00000000719EA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4840-165-0x0000000002C00000-0x0000000002FCE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4840-168-0x0000000002C00000-0x0000000002FCE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4840-184-0x0000000002C00000-0x0000000002FCE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4840-189-0x0000000002C00000-0x0000000002FCE000-memory.dmp

    Filesize

    3.8MB

    Download