Analysis
-
max time kernel
91s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
22-12-2023 14:42
General
-
Target
c898aa2a13c78c3501ad45bf5690e461.exe
-
Size
3.1MB
-
MD5
c898aa2a13c78c3501ad45bf5690e461
-
SHA1
562ac688a4d849460388fe852392abea4084c61b
-
SHA256
50a82f38bb99d62f938687184c3c67bfa357ab76afc9d70cdd9e6a67eb519294
-
SHA512
592f5721eb6dda68e3dce630082ef28deccdd05f1912a9a8987e49e6b3284fafc635272ab6cfb870d3969ebb0eb121cfbe203a79cf9fd2b02d41640f22c805f0
-
SSDEEP
49152:sX+5guoYh48F/GjUU6UQo8P5wVyRNnBn2giGIsE+o7DFmb7TW0gc4DTY+57VJv3u:sX+quoSh5ElnFRc43d9rv3IEZhp3mpL
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
mfocuz.com:1537
Attributes
-
communication_password
25f9e794323b453885f5181f1b624d0b
-
tor_process
tor
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Program crash 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c898aa2a13c78c3501ad45bf5690e461.exe"C:\Users\Admin\AppData\Local\Temp\c898aa2a13c78c3501ad45bf5690e461.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 9962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2948 -ip 29481⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2948-0-0x00000000031E0000-0x000000000349D000-memory.dmpFilesize
2.7MB
-
memory/2948-1-0x0000000000690000-0x0000000000A5E000-memory.dmpFilesize
3.8MB
-
memory/2948-2-0x0000000000690000-0x0000000000A5E000-memory.dmpFilesize
3.8MB