Overview

overview

10

Static

static

3

Fgmre.exe

windows7-x64

10

Fgmre.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2023 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fgmre.exe

  • Size

    6.1MB

  • MD5

    fab73af287c1c2d2c9f7eb56ae418c2a

  • SHA1

    b9afbf362fd3a04290b37a2abafece67fba21b1b

  • SHA256

    33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

  • SHA512

    c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

  • SSDEEP

    98304:wVV8V0jkxwDuoUprzpnNHNVDNHVq4t2KsNStyoXpGQL4+bMzvIBkKAPLf:w7E0oCu9NtVJFRGQLcH

Score
10/10
bitratpersistencetrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

smgqnt3eixxksasu.xyz:1234

Attributes
  • communication_password

    30afda4853ef5b1bc36463ba95d84247

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fgmre.exe
    "C:\Users\Admin\AppData\Local\Temp\Fgmre.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      2⤵
        PID:3496
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:180
        • C:\Users\Admin\AppData\Local\Temp\GF70e43mIRdB8ZgR.exe
          "C:\Users\Admin\AppData\Local\Temp\GF70e43mIRdB8ZgR.exe"
          3⤵
          • Executes dropped EXE
          PID:2388
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
      1⤵
        PID:4308
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2772

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
        Filesize

        16KB

        MD5

        b1247ef92503269c0965f5542bf92225

        SHA1

        91489c119f5cfd13bed7a6c91e295344933f8742

        SHA256

        8d1d737c29ae6f346f83957fca60d6548f6c0464596bc253e7b52b1876de2999

        SHA512

        8b84c0299fedb44c3da777d79859a6c241899e2b9c29bbb2e819159cb58e1d10f4372af9642756eadc61da6b32a4c6add2b2c8add63cb3ff13961fef95f8c6ab

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0XT81K5W\Fgmre[1].exe
        Filesize

        6.1MB

        MD5

        fab73af287c1c2d2c9f7eb56ae418c2a

        SHA1

        b9afbf362fd3a04290b37a2abafece67fba21b1b

        SHA256

        33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

        SHA512

        c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\GF70e43mIRdB8ZgR.exe
        Filesize

        6.1MB

        MD5

        fab73af287c1c2d2c9f7eb56ae418c2a

        SHA1

        b9afbf362fd3a04290b37a2abafece67fba21b1b

        SHA256

        33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

        SHA512

        c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\GF70e43mIRdB8ZgR.exe
        Filesize

        6.1MB

        MD5

        fab73af287c1c2d2c9f7eb56ae418c2a

        SHA1

        b9afbf362fd3a04290b37a2abafece67fba21b1b

        SHA256

        33d1fbfef24cf1945248cfdc35c9338aec58774838d2c8b16d7609e8badd60a3

        SHA512

        c5a5803b097509967ff09a401d4f8d055a837c66f4bb257576513519233b40890bb8663ce08eddead348dacdace3d1212e3522480fbd6fe3a5e909970f442bab

        Download Submit
      • memory/180-90-0x0000000000400000-0x00000000007CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/180-87-0x0000000000400000-0x00000000007CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/180-76-0x0000000000400000-0x00000000007CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/180-78-0x0000000000400000-0x00000000007CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/180-95-0x0000000000400000-0x00000000007CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/180-91-0x0000000075170000-0x00000000751A9000-memory.dmp
        Filesize

        228KB

        Download
      • memory/180-79-0x0000000000400000-0x00000000007CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/180-89-0x0000000000400000-0x00000000007CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/180-88-0x0000000000400000-0x00000000007CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/180-81-0x0000000000400000-0x00000000007CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/180-86-0x0000000000400000-0x00000000007CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/180-85-0x0000000000400000-0x00000000007CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/180-84-0x0000000000400000-0x00000000007CE000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/180-83-0x0000000074DF0000-0x0000000074E29000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2388-120-0x0000000072A10000-0x00000000731C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2388-127-0x00000000059C0000-0x00000000059D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2388-126-0x0000000072A10000-0x00000000731C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2388-121-0x00000000059C0000-0x00000000059D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2772-42-0x00000188F8950000-0x00000188F8951000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-44-0x00000188F8950000-0x00000188F8951000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-69-0x00000188F86A0000-0x00000188F86A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-71-0x00000188F86B0000-0x00000188F86B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-72-0x00000188F86B0000-0x00000188F86B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-73-0x00000188F87C0000-0x00000188F87C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-5-0x00000188F0240000-0x00000188F0250000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2772-54-0x00000188F8560000-0x00000188F8561000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-51-0x00000188F8570000-0x00000188F8571000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-49-0x00000188F8560000-0x00000188F8561000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-21-0x00000188F0340000-0x00000188F0350000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2772-48-0x00000188F8570000-0x00000188F8571000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-47-0x00000188F8950000-0x00000188F8951000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-46-0x00000188F8950000-0x00000188F8951000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-45-0x00000188F8950000-0x00000188F8951000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-57-0x00000188F84A0000-0x00000188F84A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-43-0x00000188F8950000-0x00000188F8951000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-37-0x00000188F8920000-0x00000188F8921000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-41-0x00000188F8950000-0x00000188F8951000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-40-0x00000188F8950000-0x00000188F8951000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-39-0x00000188F8950000-0x00000188F8951000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2772-38-0x00000188F8950000-0x00000188F8951000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3300-0-0x0000000074EE0000-0x0000000075690000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3300-80-0x0000000074EE0000-0x0000000075690000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3300-74-0x0000000006180000-0x0000000006724000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3300-4-0x0000000005450000-0x0000000005460000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3300-3-0x0000000074EE0000-0x0000000075690000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3300-2-0x0000000005450000-0x0000000005460000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3300-1-0x00000000004F0000-0x0000000000B14000-memory.dmp
        Filesize

        6.1MB

        Download