Overview

overview

10

Static

static

3

SecuriteIn...11.exe

windows7-x64

10

SecuriteIn...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    21s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe

  • Size

    7.6MB

  • MD5

    1c9f3c0258e923c07e1943498c789a3d

  • SHA1

    e908faaa5eff19c6b653241253ecc6f28c83f436

  • SHA256

    925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55

  • SHA512

    92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

  • SSDEEP

    196608:o9/4OSUKi7eAGR6EGOUqJNTUQ0uG2DWMyoim06EV5X:U/4OSZeeLcvqJNF0uJW3/HX

Score
10/10
bitrattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

185.225.75.68:3569

Attributes
  • communication_password

    0edcbe7d888380c49e7d1dcf67b6ea6e

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe"
      2⤵
        PID:4340
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 188
          3⤵
          • Program crash
          PID:4352
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\uno"
        2⤵
          PID:4092
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe" "C:\Users\Admin\AppData\Roaming\uno\uno.exe"
          2⤵
            PID:2132
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3384
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f
              3⤵
              • Creates scheduled task(s)
              PID:1020
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4340 -ip 4340
          1⤵
            PID:916
          • C:\Users\Admin\AppData\Roaming\uno\uno.exe
            C:\Users\Admin\AppData\Roaming\uno\uno.exe
            1⤵
            • Executes dropped EXE
            PID:3064

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\uno\uno.exe
            Filesize

            3.6MB

            MD5

            db6725b45653e19e63c9c903dfeaa589

            SHA1

            d0584bb434d937af6e2bad12d7bd086eddabb039

            SHA256

            e76584333b40323fcff44deb00671db19b7d67af5175325866529aee080e0f2b

            SHA512

            3f7c2d9c2e226b1354342e0cab0c9776860b263305419b6466f472dae94c4beefdc0be23a6bc50ae552532c2fd3458aefaeb274c7934fb18fea9eb37499777ff

            Download Submit

          • C:\Users\Admin\AppData\Roaming\uno\uno.exe
            Filesize

            3.7MB

            MD5

            01e8431f8d42a3ec02bd2be13353bdb4

            SHA1

            21aef30b40078646af0c5970e46a218003f10b5e

            SHA256

            9e9389d4f9857342b1250dcc6fa29b96d723fa3bb231cee4b0018b70107d3e66

            SHA512

            78c36d5d8d575a74bb9ea34a2f41890917d43560b8e9ad685cd880f4aea7a8b0604a70123eeced9ca34ca83591f2a60ef209b9e27f22ba4e7ff4804824160e21

            Download Submit

          • memory/1796-0-0x0000000074600000-0x0000000074DB0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1796-1-0x0000000000EE0000-0x000000000167C000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/1796-2-0x00000000064F0000-0x0000000006A94000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/1796-3-0x0000000003890000-0x00000000038A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1796-4-0x0000000007AA0000-0x000000000822A000-memory.dmp

            Filesize

            7.5MB

            Download

          • memory/1796-15-0x0000000074600000-0x0000000074DB0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3064-20-0x0000000074600000-0x0000000074DB0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4340-5-0x0000000000D00000-0x00000000010CE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/4340-9-0x0000000000D00000-0x00000000010CE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/4340-13-0x0000000000D00000-0x00000000010CE000-memory.dmp

            Filesize

            3.8MB

            Download