Overview

overview

10

Static

static

1

68222440e7...62.exe

windows7-x64

10

68222440e7...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 16:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68222440e7fab33d7b5ec1b6e2672962.exe

  • Size

    2.6MB

  • MD5

    68222440e7fab33d7b5ec1b6e2672962

  • SHA1

    9e756880fc27ce0e0aa9f746039ec5fc0ca60294

  • SHA256

    9f853c69ec51eef3b38c508c2cdfaad6230c9cac218b6c1e2c1aade3e2aaa684

  • SHA512

    8fc00dc22e870a8e2150bd57b3e26d173a425ab1ab665b16548285489622f2a52db7487ce1a9811fc4c0328f673454be0f8a38d72a30e65727afabef04d63388

  • SSDEEP

    49152:wvibll7s0eIB4GzdH21N9vGHE5S9H5EsHBTzPfEAuj0/XN+fX+4T38mc:wS00SGzdHAuPmKJzXEAfXcuwU

Score
10/10
bitrattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

dns16-microsoft-health.com:80

Attributes
  • communication_password

    1fb84c2caca11d084aafca61f7284a70

  • install_dir

    Intel

  • install_file

    idrvr32.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68222440e7fab33d7b5ec1b6e2672962.exe
    "C:\Users\Admin\AppData\Local\Temp\68222440e7fab33d7b5ec1b6e2672962.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Users\Admin\AppData\Local\Temp\68222440e7fab33d7b5ec1b6e2672962.exe
      "C:\Users\Admin\AppData\Local\Temp\68222440e7fab33d7b5ec1b6e2672962.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:3004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3004-36-0x0000000000400000-0x00000000007D3000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/3004-48-0x0000000074650000-0x0000000074689000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3004-47-0x0000000000400000-0x00000000007D3000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/3004-46-0x0000000000030000-0x0000000000031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3004-39-0x0000000000400000-0x00000000007D3000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/3004-45-0x0000000077252000-0x0000000077253000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3004-37-0x0000000000400000-0x00000000007D3000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/4864-14-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-12-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-15-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-16-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-17-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-21-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-24-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-25-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-28-0x0000000000400000-0x000000000069F000-memory.dmp
    Filesize

    2.6MB

    Download
  • memory/4864-30-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-32-0x0000000000400000-0x000000000069F000-memory.dmp
    Filesize

    2.6MB

    Download
  • memory/4864-33-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-34-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-2-0x0000000077252000-0x0000000077253000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4864-13-0x0000000000400000-0x000000000069F000-memory.dmp
    Filesize

    2.6MB

    Download
  • memory/4864-41-0x00000000001C0000-0x00000000001C8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4864-44-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-11-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-42-0x0000000000400000-0x000000000069F000-memory.dmp
    Filesize

    2.6MB

    Download
  • memory/4864-40-0x0000000074EA0000-0x0000000074FFD000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/4864-10-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-38-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-35-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-9-0x0000000074EA0000-0x0000000074FFD000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/4864-8-0x0000000000970000-0x0000000000A70000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4864-3-0x0000000002480000-0x0000000002481000-memory.dmp
    Filesize

    4KB

    Download