Overview

overview

10

Static

static

3

bf9a1a6901...a9.exe

windows7-x64

10

bf9a1a6901...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    11-03-2024 02:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf9a1a690110be2f207d8015292d14a9.exe

  • Size

    2.3MB

  • MD5

    bf9a1a690110be2f207d8015292d14a9

  • SHA1

    9732b514c34809cc74bd9aae96b2fc0773c6fe7b

  • SHA256

    b02372e2bef2a657182ad7d232baf35a321d0bc8f707d5f8292ae85f51907702

  • SHA512

    d4e02101700bdbed5cbd10be29a787751784052f4c4a6fc7a1ac5ab2f4e160e597b7c32a51c4d647dae0083b04e492ea88b17b18dc524c5544027647cbd8406e

  • SSDEEP

    49152:GLfqBDAfgnwCFIhXeNNmMlXP4RNsMyaxd7Ad/0jdH8a7Lyx:GsFIhu/m04jDTj7G/0jdH

Score
10/10
bitrattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

yosire.duckdns.org:1555

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf9a1a690110be2f207d8015292d14a9.exe
    "C:\Users\Admin\AppData\Local\Temp\bf9a1a690110be2f207d8015292d14a9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName youtube.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1204
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName facebook.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:544
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName outlook.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:320
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:852
    • C:\Users\Admin\AppData\Local\Temp\bf9a1a690110be2f207d8015292d14a9.exe
      C:\Users\Admin\AppData\Local\Temp\bf9a1a690110be2f207d8015292d14a9.exe
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetWindowsHookEx
      PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2SA5QBFNC1DZVFOL62NB.temp
    Filesize

    7KB

    MD5

    f73dd8db13a000ca2bdc4d7190e18128

    SHA1

    f8ede17b7bfa6a6f273884da0af329eca17a510e

    SHA256

    ae4c21df5f1df0b06df1e390e2e4825eb8c431044001e0fbbf16e3813d60b08e

    SHA512

    cc6db5654dca6d691ffac3419c789fe371f6b1d20adbb11b116cbda8d31193acd9407f0522cbf1147a915fb47cc436a80f061c2635194f5b097ff8cabe81587b

    Download Submit
  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/320-47-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/320-48-0x0000000002F30000-0x0000000002F70000-memory.dmp
    Filesize

    256KB

    Download
  • memory/320-49-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/320-51-0x0000000002F30000-0x0000000002F70000-memory.dmp
    Filesize

    256KB

    Download
  • memory/320-50-0x0000000002F30000-0x0000000002F70000-memory.dmp
    Filesize

    256KB

    Download
  • memory/320-55-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/544-53-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/544-24-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/544-25-0x0000000002B80000-0x0000000002BC0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/544-26-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/544-28-0x0000000002B80000-0x0000000002BC0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/544-27-0x0000000002B80000-0x0000000002BC0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/852-65-0x0000000002F00000-0x0000000002F40000-memory.dmp
    Filesize

    256KB

    Download
  • memory/852-98-0x000000006F200000-0x000000006F7AB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/852-63-0x0000000002F00000-0x0000000002F40000-memory.dmp
    Filesize

    256KB

    Download
  • memory/852-62-0x000000006F200000-0x000000006F7AB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/852-64-0x000000006F200000-0x000000006F7AB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1204-6-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1204-8-0x0000000002800000-0x0000000002840000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1204-5-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1204-7-0x0000000002800000-0x0000000002840000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1204-40-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1560-117-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-109-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-110-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-107-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-111-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-106-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-112-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-113-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-115-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-104-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1560-118-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-119-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-121-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-120-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-122-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-123-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-102-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-101-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1560-100-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/2084-96-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-67-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-74-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-76-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-78-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-80-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-82-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-84-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-86-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-88-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-90-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-92-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-94-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-1-0x0000000074270000-0x000000007495E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2084-97-0x0000000000CC0000-0x0000000000CE6000-memory.dmp
    Filesize

    152KB

    Download
  • memory/2084-70-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-68-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-72-0x0000000008E90000-0x0000000009028000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-66-0x0000000008E90000-0x000000000902E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2084-0-0x0000000000F40000-0x0000000001192000-memory.dmp
    Filesize

    2.3MB

    Download
  • memory/2084-52-0x0000000000E50000-0x0000000000E90000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2084-108-0x0000000074270000-0x000000007495E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2084-41-0x0000000074270000-0x000000007495E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2084-2-0x0000000000E50000-0x0000000000E90000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2668-29-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2668-16-0x0000000002AB0000-0x0000000002AF0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2668-17-0x0000000002AB0000-0x0000000002AF0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2668-18-0x0000000002AB0000-0x0000000002AF0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2668-15-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2668-14-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2960-37-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2960-39-0x0000000002510000-0x0000000002550000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2960-38-0x0000000002510000-0x0000000002550000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2960-36-0x0000000002510000-0x0000000002550000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2960-35-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2960-54-0x000000006F4B0000-0x000000006FA5B000-memory.dmp
    Filesize

    5.7MB

    Download