Overview

overview

10

Static

static

3

bf9a1a6901...a9.exe

windows7-x64

10

bf9a1a6901...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2024 02:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf9a1a690110be2f207d8015292d14a9.exe

  • Size

    2.3MB

  • MD5

    bf9a1a690110be2f207d8015292d14a9

  • SHA1

    9732b514c34809cc74bd9aae96b2fc0773c6fe7b

  • SHA256

    b02372e2bef2a657182ad7d232baf35a321d0bc8f707d5f8292ae85f51907702

  • SHA512

    d4e02101700bdbed5cbd10be29a787751784052f4c4a6fc7a1ac5ab2f4e160e597b7c32a51c4d647dae0083b04e492ea88b17b18dc524c5544027647cbd8406e

  • SSDEEP

    49152:GLfqBDAfgnwCFIhXeNNmMlXP4RNsMyaxd7Ad/0jdH8a7Lyx:GsFIhu/m04jDTj7G/0jdH

Score
10/10
bitrattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

yosire.duckdns.org:1555

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf9a1a690110be2f207d8015292d14a9.exe
    "C:\Users\Admin\AppData\Local\Temp\bf9a1a690110be2f207d8015292d14a9.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName youtube.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2468
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3280
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName facebook.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1388
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName outlook.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:5108
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4128
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1568
    • C:\Users\Admin\AppData\Local\Temp\bf9a1a690110be2f207d8015292d14a9.exe
      C:\Users\Admin\AppData\Local\Temp\bf9a1a690110be2f207d8015292d14a9.exe
      2⤵
        PID:1520
      • C:\Users\Admin\AppData\Local\Temp\bf9a1a690110be2f207d8015292d14a9.exe
        C:\Users\Admin\AppData\Local\Temp\bf9a1a690110be2f207d8015292d14a9.exe
        2⤵
          PID:2156
        • C:\Users\Admin\AppData\Local\Temp\bf9a1a690110be2f207d8015292d14a9.exe
          C:\Users\Admin\AppData\Local\Temp\bf9a1a690110be2f207d8015292d14a9.exe
          2⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetWindowsHookEx
          PID:2336

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        0774a05ce5ee4c1af7097353c9296c62

        SHA1

        658ff96b111c21c39d7ad5f510fb72f9762114bb

        SHA256

        d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

        SHA512

        104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        19KB

        MD5

        42603984ea3314bb9ba08037188530e5

        SHA1

        6d25d9874f78213d43c76dfb9be2b8b4a9698c00

        SHA256

        580b0409becc982147672e15bc03b41879472e71707e7948c2e1fd38d8012d06

        SHA512

        fc965fab6acde7327b07eab474ba81400f47ae49afe05939ed92e67fba5367f6e815c6c8cda2a686c9e6673838855f413a9b75819caf425975139a1dd50790fc

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        19KB

        MD5

        8f7eb33c429440aa19e532539a2a95d3

        SHA1

        fe50271504f38c749a55ec2b7aecf18886d0a1d5

        SHA256

        d3be716e1bb75ff73165e53310d98ec1b1d9feb2b0122187fc7b78ab3ea10685

        SHA512

        6dfe611d910f585a02e94dbd2cf84fe64c5442aba3cc556bc1894de6a31c34246d7ccb56733d789db8b29379b4cb00dd6018e15801d0370450d6d14f06c8fb3e

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        19KB

        MD5

        b287fa484c0190a2f218bd3c60110c38

        SHA1

        0ea62e8df0f610d3a1014acf4a4d35f7d8f9db37

        SHA256

        f3d0b4039a6c0762f3adc17db0f9c2e15ed374a021187651236339f8092dc765

        SHA512

        3df58787a33cfb9c8cd6e9dff3d8fa7c00aeb734d06538b27229afc9ca469866747fb417ad395454fe2876c3548596100750c3855c8461a802bb252af10fbc70

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apoy0cg0.m10.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • memory/1388-88-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1388-43-0x00000000029C0000-0x00000000029D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1388-42-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1568-93-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1568-95-0x0000000002E30000-0x0000000002E40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1568-94-0x0000000006140000-0x0000000006494000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/1568-96-0x0000000002E30000-0x0000000002E40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1568-143-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2336-160-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-157-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-154-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-153-0x0000000075000000-0x0000000075039000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2336-152-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-150-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-151-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-146-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-148-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-145-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-156-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-155-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-158-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-159-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-161-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-162-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-163-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-164-0x0000000075380000-0x00000000753B9000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2336-165-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-166-0x0000000000400000-0x00000000007E4000-memory.dmp
        Filesize

        3.9MB

        Download
      • memory/2336-167-0x0000000075380000-0x00000000753B9000-memory.dmp
        Filesize

        228KB

        Download
      • memory/2356-140-0x0000000006190000-0x00000000061B6000-memory.dmp
        Filesize

        152KB

        Download
      • memory/2356-134-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-1-0x00000000001F0000-0x0000000000442000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/2356-2-0x0000000005410000-0x00000000059B4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2356-3-0x0000000004F00000-0x0000000004F92000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2356-4-0x0000000004E00000-0x0000000004E10000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2356-5-0x0000000004E40000-0x0000000004E4A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2356-92-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2356-149-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2356-141-0x0000000006FA0000-0x0000000006FBE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2356-0-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2356-139-0x0000000006FF0000-0x0000000007066000-memory.dmp
        Filesize

        472KB

        Download
      • memory/2356-97-0x0000000004E00000-0x0000000004E10000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2356-108-0x0000000006DD0000-0x0000000006F6E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-109-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-110-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-112-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-116-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-114-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-118-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-120-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-122-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-124-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-126-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-128-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-130-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-132-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-138-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2356-136-0x0000000006DD0000-0x0000000006F68000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2468-9-0x0000000003030000-0x0000000003040000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2468-41-0x0000000008AF0000-0x000000000916A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/2468-24-0x00000000068B0000-0x00000000068CE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2468-23-0x0000000006450000-0x00000000067A4000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2468-6-0x0000000002FA0000-0x0000000002FD6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/2468-18-0x0000000006280000-0x00000000062E6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2468-10-0x0000000005BE0000-0x0000000006208000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/2468-11-0x0000000005900000-0x0000000005922000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2468-28-0x0000000006E00000-0x0000000006E22000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2468-27-0x0000000006DB0000-0x0000000006DCA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/2468-26-0x0000000007870000-0x0000000007906000-memory.dmp
        Filesize

        600KB

        Download
      • memory/2468-25-0x0000000006900000-0x000000000694C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/2468-55-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2468-8-0x0000000003030000-0x0000000003040000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2468-7-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2468-12-0x0000000005A20000-0x0000000005A86000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3280-70-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3280-29-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3280-30-0x0000000002E70000-0x0000000002E80000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3280-31-0x0000000002E70000-0x0000000002E80000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4128-76-0x0000000000D60000-0x0000000000D70000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4128-74-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4128-91-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4128-75-0x0000000000D60000-0x0000000000D70000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5108-58-0x0000000002D30000-0x0000000002D40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/5108-73-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/5108-57-0x00000000750F0000-0x00000000758A0000-memory.dmp
        Filesize

        7.7MB

        Download