Overview

overview

10

Static

static

10

7a0723aff0...fd.exe

windows7-x64

10

7a0723aff0...fd.exe

windows10-2004-x64

10

$TEMP/bibs...RE.dll

windows7-x64

1

$TEMP/bibs...RE.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2024 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a0723aff075673ef855b4e615207dfd.exe

  • Size

    3.6MB

  • MD5

    7a0723aff075673ef855b4e615207dfd

  • SHA1

    aa3c1654b4abefe9831f6b60866253b4b8436fe0

  • SHA256

    3cc446d6a658ce7bdf67387d6df73888b2f5ea0a3955f2c11ebdeaec4d589517

  • SHA512

    344444ca7d681f86f0707e5e788c7d20dadbcf8c69cc5afd8a5136e78848737003e5f8320356bd25d0773fb90e3ec0fe2c55d32e6923e43640b6ce204c4ade7c

  • SSDEEP

    98304:XTjwlh++gsHbQN/muXMxx2FKPv2QXMojZ5nYu3zSXYwREF0aQ:XTjKz7gF42kWQXMIjnYu+ow7J

Score
10/10
bitratblisterloadertrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

139.28.219.45:443

Attributes
  • communication_password

    a76d949640a165da25ccfe9a8fd82c8a

  • tor_process

    tor

Signatures

  • BLISTER

    BLISTER is a downloader used to deliver other malware families.

    loaderblister
  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Detect Blister loader x32 2 IoCs
    loader
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a0723aff075673ef855b4e615207dfd.exe
    "C:\Users\Admin\AppData\Local\Temp\7a0723aff075673ef855b4e615207dfd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Windows\SysWOW64\WerFault.exe
      "C:\Windows\System32\WerFault.exe"
      2⤵
        PID:2416
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
      1⤵
        PID:4228

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Helps_Config\Helps_Config.exe
        Filesize

        465KB

        MD5

        f74e01041b9006a352a8a83e375c545a

        SHA1

        1d4beff07f9dc403f0b28cfaed422a3bfbe76383

        SHA256

        adf148ebb5a4df7a218ca8f9177cf925af9b8c6e755023f28f76bf8c2b12dfcf

        SHA512

        42f9ccf33c6a869c4eb5b146f0385ed85144cfc7d516b81d9c5bb2c299b40f2e9508336ffff42d264810a0164d9ad4fb1d77710df61fbbaa79f862c1623d6ddd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\bibs_work\WMVCORE.DLL
        Filesize

        4.3MB

        MD5

        2410eaa785604474e1035fa4840e2808

        SHA1

        d554eaf5c91dfe3a5b072f3a7ffa57ed55ec60b1

        SHA256

        cb9d9f3dd26aea924de01b16dfe26377f16b09d178d85fbc32a7fcb40d221448

        SHA512

        d791de877c448376a346aa42363abbeb91258247269c1310553756257963df9e0ee111c738bb149c407e5587a44cc6544bebd558488feb6d99c5afef90a805b1

        Download Submit

      • memory/516-3-0x000000002BD90000-0x000000002C26E000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/2416-8-0x0000000000400000-0x00000000007CE000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/2416-16-0x0000000000C50000-0x0000000000C51000-memory.dmp

        Filesize

        4KB

        Download