Overview

overview

10

Static

static

10

7a0723aff0...fd.exe

windows7-x64

10

7a0723aff0...fd.exe

windows10-2004-x64

10

$TEMP/bibs...RE.dll

windows7-x64

1

$TEMP/bibs...RE.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2024 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a0723aff075673ef855b4e615207dfd.exe

  • Size

    3.6MB

  • MD5

    7a0723aff075673ef855b4e615207dfd

  • SHA1

    aa3c1654b4abefe9831f6b60866253b4b8436fe0

  • SHA256

    3cc446d6a658ce7bdf67387d6df73888b2f5ea0a3955f2c11ebdeaec4d589517

  • SHA512

    344444ca7d681f86f0707e5e788c7d20dadbcf8c69cc5afd8a5136e78848737003e5f8320356bd25d0773fb90e3ec0fe2c55d32e6923e43640b6ce204c4ade7c

  • SSDEEP

    98304:XTjwlh++gsHbQN/muXMxx2FKPv2QXMojZ5nYu3zSXYwREF0aQ:XTjKz7gF42kWQXMIjnYu+ow7J

Score
10/10
bitratblisterloadertrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

139.28.219.45:443

Attributes
  • communication_password

    a76d949640a165da25ccfe9a8fd82c8a

  • tor_process

    tor

Signatures

  • BLISTER

    BLISTER is a downloader used to deliver other malware families.

    loaderblister
  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Detect Blister loader x32 2 IoCs
    loader
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a0723aff075673ef855b4e615207dfd.exe
    "C:\Users\Admin\AppData\Local\Temp\7a0723aff075673ef855b4e615207dfd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\WerFault.exe
      "C:\Windows\System32\WerFault.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
    1⤵
      PID:2392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Helps_Config\Helps_Config.exe
      Filesize

      98KB

      MD5

      20276b114ccaa585d544e73ad5589d32

      SHA1

      1fade936ac52a5d41135926c572cbb19583e6233

      SHA256

      d3bd6d21538fc29c87bddddd5964a47eaab0d4792d8d7dc45391ce4c51ccc090

      SHA512

      24c51f3794ff1d0b76dae5495a3c45f875d490708bb6be098e1333076cebd3431e5ead867c2ebd054ae4e438c81b55b31ce35bcd21f95102d66d8442dad13972

      Download Submit

    • \Users\Admin\AppData\Local\Temp\bibs_work\WMVCORE.DLL
      Filesize

      4.9MB

      MD5

      88fba76c3a7eb0f785903de05fb0bd06

      SHA1

      35f452a43a838cbad695d596b2cad144cc115074

      SHA256

      8c981acb2673fa80fa39aa2ba9b1916cb9866b5e8f9ec1cc98bc7fed36b49c61

      SHA512

      f0bfb7e85de0834c3a3a8448ba4d218d28608b3634bed24590a30e91acb51632b01b09f3734547bca383c8d69a8e4c754337fa7d44a274c458fca04d21c29876

      Download Submit

    • memory/2484-3-0x000000002BD90000-0x000000002C26E000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2772-8-0x0000000000400000-0x00000000007CE000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/2772-16-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

      Download