Overview

overview

10

Static

static

3

88679797af...2c.exe

windows7-x64

1

88679797af...2c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    166s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2023 19:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88679797aff29f111d110ccc9cc9fd2c.exe

  • Size

    1.9MB

  • MD5

    88679797aff29f111d110ccc9cc9fd2c

  • SHA1

    adde4a3e6631aa0f82e5b0bf6bd8b917d78bad63

  • SHA256

    971dea6d176bb8bdae2c6570bbdee5fd41c447c6cbb79a8643c76991c8f988aa

  • SHA512

    65eec81dcb0c0e92f528031fbf619b656e9b2856a02190cbb9c57c38e785f3c2bac713297392c590f6b1136e5343424db869e1ed2c63799c41975018e7c1b548

  • SSDEEP

    49152:nzzs3PnDN+gqsJjvpcIJKbahPEwbzN6pt:03p+7Wp9hPEwnNm

Score
10/10
bitratpersistencetrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

jairoandresotalvarorend.linkpc.net:9069

Attributes
  • communication_password

    bfdba24ee3d61f0260c4dc1034c3ee43

  • install_dir

    windownslogoinicdiodir

  • install_file

    windownslogoiniciod.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88679797aff29f111d110ccc9cc9fd2c.exe
    "C:\Users\Admin\AppData\Local\Temp\88679797aff29f111d110ccc9cc9fd2c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3848
    • C:\Users\Admin\AppData\Local\Temp\88679797aff29f111d110ccc9cc9fd2c.exe
      "C:\Users\Admin\AppData\Local\Temp\88679797aff29f111d110ccc9cc9fd2c.exe"
      2⤵
        PID:5116
      • C:\Users\Admin\AppData\Local\Temp\88679797aff29f111d110ccc9cc9fd2c.exe
        "C:\Users\Admin\AppData\Local\Temp\88679797aff29f111d110ccc9cc9fd2c.exe"
        2⤵
          PID:2664
        • C:\Users\Admin\AppData\Local\Temp\88679797aff29f111d110ccc9cc9fd2c.exe
          "C:\Users\Admin\AppData\Local\Temp\88679797aff29f111d110ccc9cc9fd2c.exe"
          2⤵
            PID:1996
          • C:\Users\Admin\AppData\Local\Temp\88679797aff29f111d110ccc9cc9fd2c.exe
            "C:\Users\Admin\AppData\Local\Temp\88679797aff29f111d110ccc9cc9fd2c.exe"
            2⤵
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: RenamesItself
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3900

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3848-17-0x0000000074B90000-0x0000000075340000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3848-1-0x0000000074B90000-0x0000000075340000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3848-2-0x0000000005960000-0x0000000005F04000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3848-3-0x00000000053B0000-0x0000000005442000-memory.dmp
          Filesize

          584KB

          Download
        • memory/3848-4-0x0000000005590000-0x00000000055A0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3848-5-0x0000000005350000-0x000000000535A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/3848-6-0x00000000075C0000-0x000000000765C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/3848-7-0x00000000055F0000-0x0000000005602000-memory.dmp
          Filesize

          72KB

          Download
        • memory/3848-8-0x0000000074B90000-0x0000000075340000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3848-9-0x0000000005590000-0x00000000055A0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3848-10-0x0000000007F20000-0x00000000080BC000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3848-0-0x0000000000760000-0x000000000094E000-memory.dmp
          Filesize

          1.9MB

          Download
        • memory/3900-19-0x0000000074AA0000-0x0000000074AD9000-memory.dmp
          Filesize

          228KB

          Download
        • memory/3900-26-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-16-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-15-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-13-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-18-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-11-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-20-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-21-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-23-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-24-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-25-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-22-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-14-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-27-0x00000000749D0000-0x0000000074A09000-memory.dmp
          Filesize

          228KB

          Download
        • memory/3900-28-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-29-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-30-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-31-0x00000000749D0000-0x0000000074A09000-memory.dmp
          Filesize

          228KB

          Download
        • memory/3900-32-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-33-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-34-0x00000000749D0000-0x0000000074A09000-memory.dmp
          Filesize

          228KB

          Download
        • memory/3900-35-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-36-0x0000000000400000-0x00000000007E4000-memory.dmp
          Filesize

          3.9MB

          Download
        • memory/3900-37-0x00000000749D0000-0x0000000074A09000-memory.dmp
          Filesize

          228KB

          Download