Overview

overview

10

Static

static

3

284445efc6...82.exe

windows7-x64

10

284445efc6...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    284445efc60c1a68e8199c7dc675ff82.exe

  • Size

    2.5MB

  • MD5

    284445efc60c1a68e8199c7dc675ff82

  • SHA1

    60655a314c86993deefa9d9f7eec64341168e9e1

  • SHA256

    af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965

  • SHA512

    c30e62a1f3121d6d1d10d292389e6ac476f1e5f4a88a8bafc0a06069ddc12b0081ba15e10989e74b87540e24805b776967db912663dc59110d671b88ca521d13

  • SSDEEP

    49152:m8459zztzzKoPfxsNIcv+xltSiK0rXw5hn360bURtRY26YS+WhfFzMwDPwRVuf2s:mD9zztzzKoxs6cmxfSMkd3GDGvWsfPX

Score
10/10
bitratevasiontrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

dopeonlineforwarding.xyz:6620

Attributes
  • communication_password

    d74a214501c1c40b2c77e995082f3587

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\284445efc60c1a68e8199c7dc675ff82.exe
    "C:\Users\Admin\AppData\Local\Temp\284445efc60c1a68e8199c7dc675ff82.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NWKQwZWIgp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2AF3.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:4620
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe"
        3⤵
        • Executes dropped EXE
        PID:3928
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
    Filesize

    225KB

    MD5

    b9c43675214feb8eee3905b1d67e3a12

    SHA1

    758c80bb103328669f35312412f5fc356ad8ee0a

    SHA256

    bff6af2eb48e5cbef4de28e1ef9cdc7ba1d064f0853f18b3efc65451b95fef2e

    SHA512

    242cb81ead030cc2b9f4eeaaeff5bae1fe334057beeb508490b7638e836781687cc99d5e5b4003d99c2193a67864b346a010c2bb0adf1b347262de1b58d7024e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
    Filesize

    86KB

    MD5

    7c0139bf6a8e0131752f38782182c23a

    SHA1

    9625a6b49eb53d5715b36a042d915b313804278d

    SHA256

    59b518a6dc80807a946ea03060564e2a65a1bcb6f9bea330f2ab6193b778ffa4

    SHA512

    a97a5eac2ac63997a3d8a96c9cb32933715cd66d97a976d37b58303dde910c5bb15370edd6f1bc9b04059d29f4a6b62d18dbf4688734649585729bae4a2e99d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
    Filesize

    250KB

    MD5

    e710ceb1263b6a56c696f9479ded7f19

    SHA1

    77abad6024de365ec81dd51f00e52f76f7060c65

    SHA256

    48a502f1114e099bbca29a4e66f7f7cc763c76229ca4235756ed5bc916c14c4c

    SHA512

    396055953adccfdbcf0340942a53bcc490e8a3ade991e73928e964b663fc0d72cd4c80e1f7cbab39d7996b10e1088732ccf8ab09b7782e1e5af22948c83dcb3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
    Filesize

    322KB

    MD5

    16a68ea7e49b670650501b509671a2ad

    SHA1

    787221290dd5159d0800cdd68ce8c6a89172dc1e

    SHA256

    80a4708485e5ef7a9846ed962a6bbfbfcf363e6ae367f67a39ead6a57cd879fe

    SHA512

    c7d9980b379cc3faa4e77833cb23fe0707ddefe3f4470796c2716f06e5aa48dfebf7fd51dc841432c5c9f7a96a4b62ec2dabe6f0d93c340d288e2b5377946058

    Download Submit

  • memory/4020-17-0x0000000073150000-0x0000000073900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4020-16-0x00000000002A0000-0x0000000000566000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/4020-18-0x00000000073F0000-0x000000000748C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4020-19-0x0000000007A40000-0x0000000007FE4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4020-20-0x0000000007530000-0x00000000075C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4020-21-0x0000000007500000-0x0000000007510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4020-22-0x00000000074D0000-0x00000000074DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4020-23-0x0000000007740000-0x0000000007796000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4020-24-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4020-25-0x0000000073150000-0x0000000073900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4020-26-0x0000000007500000-0x0000000007510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4020-27-0x00000000057D0000-0x0000000005990000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4020-28-0x00000000059B0000-0x0000000005B28000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4020-29-0x0000000005BC0000-0x0000000005C26000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4020-43-0x0000000073150000-0x0000000073900000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4776-36-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-38-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-40-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-42-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-41-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-44-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-45-0x0000000073750000-0x0000000073789000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4776-48-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-49-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-51-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-52-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-53-0x00000000736C0000-0x00000000736F9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4776-50-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-47-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-46-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-55-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-56-0x0000000073410000-0x0000000073449000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4776-54-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-57-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-59-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-70-0x00000000756A0000-0x00000000756D9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4776-58-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-71-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-72-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-73-0x00000000756A0000-0x00000000756D9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4776-74-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-75-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-76-0x00000000756A0000-0x00000000756D9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4776-78-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-79-0x00000000756A0000-0x00000000756D9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4776-77-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-80-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-81-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-82-0x00000000756A0000-0x00000000756D9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4776-83-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-84-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4776-85-0x00000000756A0000-0x00000000756D9000-memory.dmp

    Filesize

    228KB

    Download