Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2023 06:16

General

  • Target

    Stub.exe

  • Size

    3.8MB

  • MD5

    5d422b017137a0060e7de3b1ddff3fbb

  • SHA1

    fbc8138cc80dd477ec6bd45ade7bdd27de251260

  • SHA256

    c733abcd9c2a5c1734242bc3238dd44e9aaf7e2c01878bebe2751c1b99f9a658

  • SHA512

    b5794b69eb87e6e3f0fe19dfe0734a94fb342e27dc3e2936abd052d7cf8f82b672d28a250378b15c3631be6ce60a21643573d372a12917d5cbfa941f17fd4bdc

  • SSDEEP

    98304:d77Pmq33rE/JDLPWZADUGer7B6iY74M/7mlwXVZ4FB:5+R/eZADUXR

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

smgqnt3eixxksasu.xyz:1234

Attributes
  • communication_password

    30afda4853ef5b1bc36463ba95d84247

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Stub.exe
    "C:\Users\Admin\AppData\Local\Temp\Stub.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Users\Admin\AppData\Local\Temp\wGThotehCeA2xBFO.exe
      "C:\Users\Admin\AppData\Local\Temp\wGThotehCeA2xBFO.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "wGThotehCeA2xBFO" /t REG_SZ /F /D "C:\Users\Admin\Documents\wGThotehCeA2xBFO.pif"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4612
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "wGThotehCeA2xBFO" /t REG_SZ /F /D "C:\Users\Admin\Documents\wGThotehCeA2xBFO.pif"
          4⤵
          • Adds Run key to start application
          PID:1328
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\wGThotehCeA2xBFO.exe" "C:\Users\Admin\Documents\wGThotehCeA2xBFO.pif"
        3⤵
          PID:4560
        • C:\Users\Admin\AppData\Local\Temp\wGThotehCeA2xBFO.exe
          "C:\Users\Admin\AppData\Local\Temp\wGThotehCeA2xBFO.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:500
          • C:\Users\Admin\AppData\Local\Temp\WwesZMdpwMbMzj4X.exe
            "C:\Users\Admin\AppData\Local\Temp\WwesZMdpwMbMzj4X.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2244
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WwesZMdpwMbMzj4X" /t REG_SZ /F /D "C:\Users\Admin\Documents\WwesZMdpwMbMzj4X.pif"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1584
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WwesZMdpwMbMzj4X" /t REG_SZ /F /D "C:\Users\Admin\Documents\WwesZMdpwMbMzj4X.pif"
                6⤵
                • Adds Run key to start application
                PID:3104
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\WwesZMdpwMbMzj4X.exe" "C:\Users\Admin\Documents\WwesZMdpwMbMzj4X.pif"
              5⤵
                PID:4004
              • C:\Users\Admin\AppData\Local\Temp\WwesZMdpwMbMzj4X.exe
                "C:\Users\Admin\AppData\Local\Temp\WwesZMdpwMbMzj4X.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of AdjustPrivilegeToken
                PID:4340
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k netsvcs -p
        1⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2196

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\WwesZMdpwMbMzj4X.exe

        Filesize

        112KB

        MD5

        a9db678b7bad6d2bae54505759452dd9

        SHA1

        b0ab52df85ec1595f0a2d1f4e4d09552ea27505a

        SHA256

        5c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea

        SHA512

        641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a

      • C:\Users\Admin\AppData\Local\Temp\WwesZMdpwMbMzj4X.exe

        Filesize

        112KB

        MD5

        a9db678b7bad6d2bae54505759452dd9

        SHA1

        b0ab52df85ec1595f0a2d1f4e4d09552ea27505a

        SHA256

        5c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea

        SHA512

        641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a

      • C:\Users\Admin\AppData\Local\Temp\WwesZMdpwMbMzj4X.exe

        Filesize

        112KB

        MD5

        a9db678b7bad6d2bae54505759452dd9

        SHA1

        b0ab52df85ec1595f0a2d1f4e4d09552ea27505a

        SHA256

        5c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea

        SHA512

        641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a

      • C:\Users\Admin\AppData\Local\Temp\wGThotehCeA2xBFO.exe

        Filesize

        112KB

        MD5

        a9db678b7bad6d2bae54505759452dd9

        SHA1

        b0ab52df85ec1595f0a2d1f4e4d09552ea27505a

        SHA256

        5c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea

        SHA512

        641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a

      • C:\Users\Admin\AppData\Local\Temp\wGThotehCeA2xBFO.exe

        Filesize

        112KB

        MD5

        a9db678b7bad6d2bae54505759452dd9

        SHA1

        b0ab52df85ec1595f0a2d1f4e4d09552ea27505a

        SHA256

        5c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea

        SHA512

        641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a

      • C:\Users\Admin\AppData\Local\Temp\wGThotehCeA2xBFO.exe

        Filesize

        112KB

        MD5

        a9db678b7bad6d2bae54505759452dd9

        SHA1

        b0ab52df85ec1595f0a2d1f4e4d09552ea27505a

        SHA256

        5c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea

        SHA512

        641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a

      • C:\Users\Admin\AppData\Local\Temp\wGThotehCeA2xBFO.exe

        Filesize

        112KB

        MD5

        a9db678b7bad6d2bae54505759452dd9

        SHA1

        b0ab52df85ec1595f0a2d1f4e4d09552ea27505a

        SHA256

        5c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea

        SHA512

        641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a

      • memory/500-88-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-122-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-131-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-127-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-58-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-124-0x00000000728F0000-0x0000000072929000-memory.dmp

        Filesize

        228KB

      • memory/500-59-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-118-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-114-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-111-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-60-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-110-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-38-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-41-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-42-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-104-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-44-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-45-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-46-0x00000000728F0000-0x0000000072929000-memory.dmp

        Filesize

        228KB

      • memory/500-47-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-48-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-49-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-50-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-51-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-52-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-53-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-54-0x00000000728F0000-0x0000000072929000-memory.dmp

        Filesize

        228KB

      • memory/500-55-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-56-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-57-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-126-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-100-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-87-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-61-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-82-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/500-76-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/2244-78-0x0000000072250000-0x0000000072A00000-memory.dmp

        Filesize

        7.7MB

      • memory/2244-79-0x0000000004D70000-0x0000000004D80000-memory.dmp

        Filesize

        64KB

      • memory/2244-97-0x0000000072250000-0x0000000072A00000-memory.dmp

        Filesize

        7.7MB

      • memory/2244-84-0x0000000072250000-0x0000000072A00000-memory.dmp

        Filesize

        7.7MB

      • memory/2244-85-0x0000000004D70000-0x0000000004D80000-memory.dmp

        Filesize

        64KB

      • memory/3904-109-0x0000000074910000-0x0000000074949000-memory.dmp

        Filesize

        228KB

      • memory/3904-108-0x0000000074590000-0x00000000745C9000-memory.dmp

        Filesize

        228KB

      • memory/3904-0-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/3904-1-0x0000000074590000-0x00000000745C9000-memory.dmp

        Filesize

        228KB

      • memory/3904-2-0x0000000074910000-0x0000000074949000-memory.dmp

        Filesize

        228KB

      • memory/4340-102-0x00000000728F0000-0x0000000072929000-memory.dmp

        Filesize

        228KB

      • memory/4340-96-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/4340-98-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/4340-103-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/4340-95-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

      • memory/4476-24-0x0000000000680000-0x00000000006A2000-memory.dmp

        Filesize

        136KB

      • memory/4476-43-0x0000000072250000-0x0000000072A00000-memory.dmp

        Filesize

        7.7MB

      • memory/4476-35-0x0000000007B60000-0x0000000007BC6000-memory.dmp

        Filesize

        408KB

      • memory/4476-26-0x0000000005660000-0x0000000005C04000-memory.dmp

        Filesize

        5.6MB

      • memory/4476-25-0x0000000072250000-0x0000000072A00000-memory.dmp

        Filesize

        7.7MB

      • memory/4476-34-0x0000000007AC0000-0x0000000007B5C000-memory.dmp

        Filesize

        624KB

      • memory/4476-33-0x00000000052B0000-0x00000000052C0000-memory.dmp

        Filesize

        64KB

      • memory/4476-32-0x0000000072250000-0x0000000072A00000-memory.dmp

        Filesize

        7.7MB

      • memory/4476-31-0x0000000005440000-0x000000000545E000-memory.dmp

        Filesize

        120KB

      • memory/4476-30-0x0000000006310000-0x0000000006386000-memory.dmp

        Filesize

        472KB

      • memory/4476-29-0x0000000005060000-0x000000000506A000-memory.dmp

        Filesize

        40KB

      • memory/4476-28-0x00000000052B0000-0x00000000052C0000-memory.dmp

        Filesize

        64KB

      • memory/4476-27-0x00000000050B0000-0x0000000005142000-memory.dmp

        Filesize

        584KB