Overview

overview

10

Static

static

3

9aad75171c...db.exe

windows7-x64

10

9aad75171c...db.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9aad75171c9f40314bb14ef323bb8fdb.exe

  • Size

    6.1MB

  • MD5

    9aad75171c9f40314bb14ef323bb8fdb

  • SHA1

    82ec3149cab1039b2b356b8ac2d972114fc142d6

  • SHA256

    c4490d8166adf18292c8bb887a344662653881d605c71472c85e69dcc6f24f37

  • SHA512

    8de2ebe81c364ce29348e7a4b14665fc35d3a00eb5dcaaf831bca4674548b0e4e30a0be0f911386d582ece6a7a76fd3b0174a6065e50c9f982daf160f49b6719

  • SSDEEP

    98304:Gpg+erC8auYWOB+ljN6t4DiJoQJeLXFRahqvf29NvZHuXCMd/56qHstvaPXCaz2I:Wg1rOWOgotmiJoQJ4b3jXpdtHwvaj

Score
10/10
bitratpersistencetrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

atdf.ddns.net:3000

Attributes
  • communication_password

    41cfcc9640be890d8075ae5322d51928

  • install_dir

    Documents

  • install_file

    Microsoft Runtime.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9aad75171c9f40314bb14ef323bb8fdb.exe
    "C:\Users\Admin\AppData\Local\Temp\9aad75171c9f40314bb14ef323bb8fdb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4296-0-0x0000000001650000-0x0000000001651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4296-1-0x0000000000400000-0x00000000010A9000-memory.dmp

    Filesize

    12.7MB

    Download

  • memory/4296-2-0x0000000000400000-0x00000000010A9000-memory.dmp

    Filesize

    12.7MB

    Download

  • memory/4296-5-0x0000000074E90000-0x0000000074EC9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4296-6-0x0000000074E00000-0x0000000074E39000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4296-7-0x0000000074E00000-0x0000000074E39000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4296-8-0x0000000000400000-0x00000000010A9000-memory.dmp

    Filesize

    12.7MB

    Download

  • memory/4296-9-0x0000000074E00000-0x0000000074E39000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4296-10-0x0000000074E00000-0x0000000074E39000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4296-11-0x0000000074E00000-0x0000000074E39000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4296-12-0x0000000074E00000-0x0000000074E39000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4296-13-0x0000000074E00000-0x0000000074E39000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4296-14-0x0000000074E00000-0x0000000074E39000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4296-15-0x0000000074E00000-0x0000000074E39000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4296-16-0x0000000074E00000-0x0000000074E39000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4296-17-0x0000000074E00000-0x0000000074E39000-memory.dmp

    Filesize

    228KB

    Download