Overview

overview

10

Static

static

1

Predictor ....9.exe

windows10-1703-x64

10

Predictor ....9.exe

windows10-2004-x64

10

Resubmissions

21-08-2023 15:40

230821-s39vqadh37 10

11-08-2023 19:23

230811-x36khsac6w 10

Analysis

  • max time kernel
    79s
  • max time network
    85s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-08-2023 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Predictor V6.3/Predictor V6.3.9.exe

  • Size

    658KB

  • MD5

    ab63396cb0774ac41107b7b112f81d5a

  • SHA1

    f5dc67429147e886b01413472496576a2ee34075

  • SHA256

    9a43c57f3e98bd69789e8ccbeef2c1b6b5a3b1d06d63257bb4bd58dffa23689d

  • SHA512

    2121961ae2b154ba941af6937d0522505ec7e323094fb2edc7058194ae958bcf866bbbc7842924236b8635917800d0708eaabff6112f131f496189bb6e021699

  • SSDEEP

    12288:BKwp3N7HPqUeL31VI1kR8BgrsEofzwHJem7OzwHJe0IhfiZ:swp97HyUeLFVIuRCgrsEorwpemIwpels

Score
10/10
bitrattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

185.157.162.126:443

Attributes
  • communication_password

    a76d949640a165da25ccfe9a8fd82c8a

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Predictor V6.3\Predictor V6.3.9.exe
    "C:\Users\Admin\AppData\Local\Temp\Predictor V6.3\Predictor V6.3.9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2580
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:676
    • C:\Users\Admin\AppData\Local\Temp\Predictor V6.3\Predictor V6.3.9.exe
      "C:\Users\Admin\AppData\Local\Temp\Predictor V6.3\Predictor V6.3.9.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:948
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\SysWOW64\explorer.exe"
          3⤵
            PID:1268
      • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
        "PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp\Predictor V6.3'
        1⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4676
        • C:\Users\Admin\AppData\Local\Temp\Predictor V6.3\Predictor V6.3.9.exe
          "C:\Users\Admin\AppData\Local\Temp\Predictor V6.3\Predictor V6.3.9.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1252
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\SysWOW64\cmd.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3216
      • C:\Windows\system32\launchtm.exe
        launchtm.exe /2
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4860
        • C:\Windows\System32\Taskmgr.exe
          "C:\Windows\System32\Taskmgr.exe" /2
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1536

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\1632843e
        Filesize

        4.2MB

        MD5

        e980fac8c8ead148f038a0f810ff8c2c

        SHA1

        eda7a2f8ca27a1267fbba334f9719f7ba4ba9985

        SHA256

        729b31ee99a3c26eef7ac808b8f6f845b5ef3251e1fea8a1cbc078ff1b32ccbe

        SHA512

        be8e7e40dc78314eaa0cb9482ac439c9fe892fdb464529679ee7a48688fd382a22b05de4a57b17b461712dd5f9f02393dd35c11a5956798466fde3e9794ac3a1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\24fa106c
        Filesize

        4.2MB

        MD5

        e980fac8c8ead148f038a0f810ff8c2c

        SHA1

        eda7a2f8ca27a1267fbba334f9719f7ba4ba9985

        SHA256

        729b31ee99a3c26eef7ac808b8f6f845b5ef3251e1fea8a1cbc078ff1b32ccbe

        SHA512

        be8e7e40dc78314eaa0cb9482ac439c9fe892fdb464529679ee7a48688fd382a22b05de4a57b17b461712dd5f9f02393dd35c11a5956798466fde3e9794ac3a1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\2f9e193a
        Filesize

        4.2MB

        MD5

        e980fac8c8ead148f038a0f810ff8c2c

        SHA1

        eda7a2f8ca27a1267fbba334f9719f7ba4ba9985

        SHA256

        729b31ee99a3c26eef7ac808b8f6f845b5ef3251e1fea8a1cbc078ff1b32ccbe

        SHA512

        be8e7e40dc78314eaa0cb9482ac439c9fe892fdb464529679ee7a48688fd382a22b05de4a57b17b461712dd5f9f02393dd35c11a5956798466fde3e9794ac3a1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtm0lm11.fbv.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • memory/948-159-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/1252-162-0x00007FFD2CDA0000-0x00007FFD2E417000-memory.dmp
        Filesize

        22.5MB

        Download
      • memory/1268-193-0x0000000001200000-0x00000000015CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/1268-192-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/1536-165-0x000001EA88FE0000-0x000001EA88FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1536-167-0x000001EA88FE0000-0x000001EA88FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1536-177-0x000001EA88FE0000-0x000001EA88FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1536-176-0x000001EA88FE0000-0x000001EA88FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1536-175-0x000001EA88FE0000-0x000001EA88FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1536-174-0x000001EA88FE0000-0x000001EA88FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1536-173-0x000001EA88FE0000-0x000001EA88FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1536-171-0x000001EA88FE0000-0x000001EA88FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1536-172-0x000001EA88FE0000-0x000001EA88FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1536-166-0x000001EA88FE0000-0x000001EA88FE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2140-133-0x00007FFD3E8A0000-0x00007FFD3FF17000-memory.dmp
        Filesize

        22.5MB

        Download
      • memory/2580-183-0x0000000000600000-0x00000000009CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2580-189-0x0000000000600000-0x00000000009CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/2580-191-0x00000000729E0000-0x0000000072A19000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2580-190-0x0000000072B70000-0x0000000072BA9000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2580-188-0x00000000009F0000-0x0000000000E23000-memory.dmp
        Filesize

        4.2MB

        Download
      • memory/2580-180-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/3216-182-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4028-138-0x00007FFD3BCF0000-0x00007FFD3D367000-memory.dmp
        Filesize

        22.5MB

        Download
      • memory/4676-157-0x000001DB6C2C0000-0x000001DB6C336000-memory.dmp
        Filesize

        472KB

        Download
      • memory/4676-156-0x000001DB6C1F0000-0x000001DB6C234000-memory.dmp
        Filesize

        272KB

        Download
      • memory/4676-142-0x000001DB53190000-0x000001DB531B2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4676-155-0x000001DB6B4F0000-0x000001DB6B500000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4676-154-0x000001DB6B4F0000-0x000001DB6B500000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4676-153-0x000001DB6B4F0000-0x000001DB6B500000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4676-163-0x00007FFD3E8C0000-0x00007FFD3F381000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4676-160-0x000001DB6C240000-0x000001DB6C25E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4676-152-0x00007FFD3E8C0000-0x00007FFD3F381000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4700-136-0x00007FFD5CC30000-0x00007FFD5CE25000-memory.dmp
        Filesize

        2.0MB

        Download