Overview

overview

10

Static

static

10

b594d6121e...c9.exe

windows7-x64

10

b594d6121e...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-03-2024 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b594d6121e59d1194c7f39e0166a46c9.exe

  • Size

    1.4MB

  • MD5

    b594d6121e59d1194c7f39e0166a46c9

  • SHA1

    ea70f35cea39a16292db4db1bab73ecfec9b1b3f

  • SHA256

    03e5f5529c62c94e1216b6fdb248c8e94fa1d28b4a1b2317df31c281423fb826

  • SHA512

    ee606bb0dfd85de800fb305ec4c49a6d78a4e0d385666cb31092d95b8e8c7a566d23425a232391236a55b9bce8ed41e3308bd92ad780e954a818df24926c556d

  • SSDEEP

    24576:+ndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkzzgsG/b:4XDFBU2iIBb0xY/6sUYY2g

Score
10/10
bitratpersistencetrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

185.244.36.230:1236

Attributes
  • communication_password

    4238f3388b8edda21e11f6cd3d4fd304

  • install_dir

    discordHack

  • install_file

    DiscordHack.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious behavior: RenamesItself 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b594d6121e59d1194c7f39e0166a46c9.exe
    "C:\Users\Admin\AppData\Local\Temp\b594d6121e59d1194c7f39e0166a46c9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4632-0-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4632-1-0x00000000750F0000-0x0000000075129000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4632-2-0x0000000074DB0000-0x0000000074DE9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4632-3-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4632-4-0x0000000074DB0000-0x0000000074DE9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4632-5-0x0000000074DB0000-0x0000000074DE9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4632-6-0x0000000074DB0000-0x0000000074DE9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4632-7-0x0000000074DB0000-0x0000000074DE9000-memory.dmp

    Filesize

    228KB

    Download