Extracted

• • Target

    49b2e2c622aed1aaccb8f17d500b7321

  • Size

    2.6MB

  • MD5

    49b2e2c622aed1aaccb8f17d500b7321

  • SHA1

    a73b715a6ce39a6983c29765de0eef9156899ed3

  • SHA256

    08ef1a2643f2d97ea39aa628a6a56a1109db245ae5c795278b4529d9e2f4a4c7

  • SHA512

    0da166b392bcfe55c700a123414b03d706f5eb3c585e905f7db32b0db004f189c517f11ed343428ac92a9559538f05a2fb802fe5c0e210a8d233719c154c0328

  • SSDEEP

    49152:9cUUQTLnKiVql9Bs8dKj+LFh2Hs7VcsxL2QlAQjLGi/9JNIzg6:mwHs9s8lLFxfCQ2QjLH9uJ

  Score

  10^/10

  persistencebitrattrojan

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat

  • Modifies WinLogon for persistence

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Drops desktop.ini file(s)

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2