Overview

overview

10

Static

static

10

brbbot.exe

windows7-x64

10

brbbot.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    61s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2023 11:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    brbbot.exe

  • Size

    74KB

  • MD5

    1c7243c8f3586b799a5f9a2e4200aa92

  • SHA1

    4db5a8e237937b6d7b435a8506b8584121a7e9e3

  • SHA256

    f47060d0f7de5ee651878eb18dd2d24b5003bdb03ef4f49879f448f05034a21e

  • SHA512

    56cdf52cfcc102d2c8cc90e5a298eeaefd44002061108b0d6b330bb93c3590b3f8b2c3c4e1fa208fafeefa7dafa092bd0f57d3cf905382f88b9f66a5d84357fd

  • SSDEEP

    1536:b6sMD3H8V3jsUnHLiREsTbDV/48OO4vh47483gLi9+LSG:b6srVzJiRrTHVORe75g4+LS

Score
10/10
brbbotbotpersistence

Malware Config

Extracted

Family

brbbot

C2

brb.3dtuts.by

Signatures

  • BrbBot

    BrbBot is first seen in early 2022 and it is written in C++.

    botbrbbot
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\brbbot.exe
    "C:\Users\Admin\AppData\Local\Temp\brbbot.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    PID:2640
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2812
    • C:\Windows\system32\verclsid.exe
      "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
      1⤵
        PID:1576
      • C:\Users\Admin\AppData\Local\Temp\brbbot.exe
        "C:\Users\Admin\AppData\Local\Temp\brbbot.exe"
        1⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:1400
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2528

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\brbconfig.tmp
        Filesize

        73B

        MD5

        fefc78962cfaee3b2a9472b1357ce648

        SHA1

        6a93af35aa0b16a5ae0cc1244ace5afac8db20e3

        SHA256

        ee20ec1f9a574280270c0045caa6eda5b35b35d131e7a45db7d0afdaef131e08

        SHA512

        3055e5df596aa9f10ec5d093b93d11fd0d34eb42866661fd2a362202842cd2a01c9741c46fae18c9e5210824cd0ec73fdfc000a65523af628a0243f8468ef6b7

        Download Submit

      • C:\Users\Admin\AppData\Roaming\brbbot.exe
        Filesize

        74KB

        MD5

        1c7243c8f3586b799a5f9a2e4200aa92

        SHA1

        4db5a8e237937b6d7b435a8506b8584121a7e9e3

        SHA256

        f47060d0f7de5ee651878eb18dd2d24b5003bdb03ef4f49879f448f05034a21e

        SHA512

        56cdf52cfcc102d2c8cc90e5a298eeaefd44002061108b0d6b330bb93c3590b3f8b2c3c4e1fa208fafeefa7dafa092bd0f57d3cf905382f88b9f66a5d84357fd

        Download Submit

      • memory/2528-14-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2528-15-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2528-16-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2528-17-0x00000000002B0000-0x00000000002B1000-memory.dmp

        Filesize

        4KB

        Download