Overview

overview

10

Static

static

3

284445efc6...82.exe

windows7-x64

10

284445efc6...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    284445efc60c1a68e8199c7dc675ff82.exe

  • Size

    2.5MB

  • MD5

    284445efc60c1a68e8199c7dc675ff82

  • SHA1

    60655a314c86993deefa9d9f7eec64341168e9e1

  • SHA256

    af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965

  • SHA512

    c30e62a1f3121d6d1d10d292389e6ac476f1e5f4a88a8bafc0a06069ddc12b0081ba15e10989e74b87540e24805b776967db912663dc59110d671b88ca521d13

  • SSDEEP

    49152:m8459zztzzKoPfxsNIcv+xltSiK0rXw5hn360bURtRY26YS+WhfFzMwDPwRVuf2s:mD9zztzzKoxs6cmxfSMkd3GDGvWsfPX

Score
10/10
bitratevasiontrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

dopeonlineforwarding.xyz:6620

Attributes
  • communication_password

    d74a214501c1c40b2c77e995082f3587

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\284445efc60c1a68e8199c7dc675ff82.exe
    "C:\Users\Admin\AppData\Local\Temp\284445efc60c1a68e8199c7dc675ff82.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NWKQwZWIgp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp60C6.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1140
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1188
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
    Filesize

    3KB

    MD5

    af3d4381fa6eaeffe2c54f78b003f57f

    SHA1

    f308f5b4961e1cba6db7beb1134d71572511f1c4

    SHA256

    cfdd28f49defe1c453c293a358c49e31b4ffabaa0b5bc9577f5f4017e24a2366

    SHA512

    7f52dcc1860b2d908b05ef31579f0b7cb4b9c4cbe1093141f08f06a82d6a3c371a99823d6c4c67362059f8eb6f5f3346f4a971536df7aa4a0c0fc20517b40042

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
    Filesize

    136KB

    MD5

    2a9b07139d784cd54448d5eb84a7d06a

    SHA1

    d8435f8bf3f567257575320b13a3445fefc8d671

    SHA256

    41ceb02889a99c8ac40f1105fbf8228d486a1f7d11360843e35e8d817cf0409a

    SHA512

    721d7a257e9202b81d6157fda996cdc8cfe7d15c032b5aa63b8d90e21eb4d5f1a3a36cdd602b4031808006f5c3e8a88ecf53be79ab61bcb3f7bbc1954790ef4c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
    Filesize

    413KB

    MD5

    d181ff5aec9a044393a68195b546af4b

    SHA1

    85475281b629ee54a50088e31d8af7eba5ce04fd

    SHA256

    c55cf78c264c90f66b91f2912464ac37a47c9eec5c353fccaf930a49efc083f9

    SHA512

    af294ca7b2c3f12d3134402ed047e03e218d551198b4f9375c22889d2871461a2391e68059292459dccddc078fea48ce2d0b4d88a314dea9436d0191574a60c9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pic22.jpg
    Filesize

    8KB

    MD5

    1722fcaba27b2d9914bb4a41c2ac0ed3

    SHA1

    afc7bc349390e4ae1cdf874b7746b3f5913fcb3e

    SHA256

    130b45d775805140a6efcb9564e46e3e31646975552dad46e25cee570e81178a

    SHA512

    2cd1f285336ae8904991474a61e8d8ecdfa04bd2288a0e4c59e03943826c1172b4e7a0c5b76dc7514b3d5e9e20a13b845e16949a83b9b4e79b90f28573419baf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp60C6.tmp
    Filesize

    1KB

    MD5

    e44e6f62d139ccfbff110c20cd93b5d8

    SHA1

    20228a78018b72b79cdb4b5732c4785e4ac19113

    SHA256

    837b1d657d5cbd75f745058bc31fa7c29b54dbc0ad94114f43d8231147e7822c

    SHA512

    8b6b834a214054dee682d73fcff367fd7912896f8684d8ca6c64f38a7b2c829a99c06704215b9206b058eb4a3f10a2f4749ff4d0597da3975465ed4fdfec8562

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
    Filesize

    95KB

    MD5

    d55dfc28936c01fd24828e020fb09638

    SHA1

    5a6a5ed62b5e08a1d912d4e6ada56c507b66e8a6

    SHA256

    1fe09264314a583b9729f33d99d003b2e0260d73b6ef6df695113004ae54c3c5

    SHA512

    0278d0e8304ec26f44b19f560c9a7078471c59ded923aee7c258d6dc59e3e5710d13b97a51cdcacfd061deb04592db3beada42a1303000592c4eabcbf1da388a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
    Filesize

    93KB

    MD5

    08c20921e26030493a7e463aeb31ad96

    SHA1

    550449345925b4b6e788d600d0227c3cef0e230f

    SHA256

    ad00cefc8ae0017aeed7df7007496d459a310956c949488a53919d9115a25816

    SHA512

    43515493827a4177f270440b7ea0f0bb83d8975338ecae12f0dc0d2e94165254717aceb00de89b6dbb1d86bba62a8bbfce948bb1756522e8991c3fc23cb6c4e5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
    Filesize

    12KB

    MD5

    f6d64ba8683b71b45260489d9bdee8dc

    SHA1

    6ca1960f7bb4a6a5579de23695698239e59827ba

    SHA256

    36bad39554357cbf0ba4eca86d861812347f811849d50cd9ca140a3337342530

    SHA512

    20ec3c039d3e35a65360633e443aea7254943910cb45ef3e53e81786a1090a49d6e0b4b84e50ae06709e949e2697f13bb0a947edae5faa256b475028a7bd28a5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
    Filesize

    2.4MB

    MD5

    8e4021bbc655ee57cce94f9cbc6eca7b

    SHA1

    6aa0e7558bc6fba388e00c2491c4b461875f0a72

    SHA256

    d0ce52c1fd46e38e5e269fdc019d4c3c0900a88a7a4fed4c126c70c4a72798db

    SHA512

    34b139d00ec4aa4456b4c7ae96c5e5f021fcd47a3a677e6d65d94b3c7cfb5605447ea99a4285862b7db864b35098da884415a18b431999f3a101bc76ea3dd017

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
    Filesize

    1.0MB

    MD5

    687bce5c77630038a660ecb8bc85e4f2

    SHA1

    ffec56bd15011eef584af3334772466c829ea480

    SHA256

    9b68478ed1647e0bde439eff9da36fa4a7bd2837cd0392179f00db441b059deb

    SHA512

    aa573b094723900e93215b595f2f378d528c89db700d7cdf5fc5ccd62ebe688fc9d1e6a716591fa40901a196452c55cf7489a9364571a7b0b6ea59529b2924bb

    Download Submit

  • memory/1188-53-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-47-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-65-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-64-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-62-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-33-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-34-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-36-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1188-41-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-42-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-43-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-61-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-44-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-39-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-59-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-46-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-60-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-48-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-49-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-50-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-56-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-55-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1188-54-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1760-52-0x00000000000F0000-0x00000000000F2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1760-57-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1760-63-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2160-51-0x00000000024A0000-0x00000000024A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2872-21-0x00000000013D0000-0x0000000001696000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2872-20-0x0000000074250000-0x000000007493E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2872-25-0x0000000005930000-0x0000000005AF0000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2872-45-0x0000000074250000-0x000000007493E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2872-22-0x0000000000470000-0x00000000004B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2872-23-0x00000000002C0000-0x00000000002D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2872-24-0x0000000074250000-0x000000007493E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2872-26-0x0000000005AF0000-0x0000000005C68000-memory.dmp

    Filesize

    1.5MB

    Download