Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
05-03-2024 11:52
General
-
Target
b4a26290880d3fb80df39f433ebb0490.exe
-
Size
2.6MB
-
MD5
b4a26290880d3fb80df39f433ebb0490
-
SHA1
68e61782384bac82a8b2fbbac8958a1a5dd3fe5d
-
SHA256
49568dbced141895672057dc8244ce926ba027f7d04915a3a8504584f56b2c87
-
SHA512
96438799bcf1a79f992ddd11ecedb7101a0c816b1eff1db78f2c1b48239a110a08860a1ff0f36aad883332cbb3ff690a842478dd4dffb5a94f35082404ba2182
-
SSDEEP
49152:YCqoHMDzSvPB+6y3im0rc56ErvHHxjLH1yzJo9pPHq8jhWEgTi:YLosavPB9Frc56EjHxjLH1GipPN8Er
Malware Config
Extracted
bitrat
1.35
storage.nsupdate.info:8973
-
communication_password
bf771c9d082071fe80b18bb678220682
-
tor_process
tor
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4a26290880d3fb80df39f433ebb0490.exe"C:\Users\Admin\AppData\Local\Temp\b4a26290880d3fb80df39f433ebb0490.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b4a26290880d3fb80df39f433ebb0490.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QhNsxxGtGmp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QhNsxxGtGmp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD4FE.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QhNsxxGtGmp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD592ec09cc1d169a88bfccf8b115aa1ed6
SHA18f5d436ae6fd23c3d359be3d851864ad91d55f45
SHA2562310cbfe05b95767d4bcabf8cc68990a507191b7cd66f92db67c27b401c36c34
SHA512fd378e820ece518bf627780555f886387d9096af7ce72c914052ec1d5e2c249ac06d09e34b74955100e4e1eebf499a3ce7caefe2f5224146a859648eb5c6fd36
-
Filesize
18KB
MD5206245bb214f33b5f2eab06b4fd32cc3
SHA180ff87a86f700f3dc931b2327cf18c1c9e871541
SHA256682305e5bfac26405b065a2d4c1e2564198df1eb86f8a4fbd454edc7bbb56f34
SHA512bca4540e7882d53cb7bb10393cb35586ff63949f2b977aca1b59a79665a81cfa7a2a1ea096d20e93a67ac0fdf2c8f282b111171f630dcff034019b41f18bb455
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD51101e7fdaf9ab33b164151dd8d16409b
SHA1a420c9bc8b48c106886e257aefcd148cd28c9435
SHA2567ee5d02eef8c9f362a70ed334f7dd87707dd15b848217992a62520cb471d578d
SHA51227f5ec609bb54b5fcc020785cab9eba226951ac98ef9a320441486b74ce4a4c533e3f3b5f506794dec2212c96d06ee6b18145bce574a8653147283cf69fba7bb
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
68KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
200KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
1.5MB
-
Filesize
344KB
-
Filesize
64KB
-
Filesize
2.6MB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
1.8MB
-
Filesize
228KB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
228KB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
228KB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
3.9MB
-
Filesize
228KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
7.7MB