Overview

overview

10

Static

static

3

c63582cc8c...f3.exe

windows7-x64

10

c63582cc8c...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-03-2024 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c63582cc8c24d69e4bb0829e71f395f3.exe

  • Size

    2.5MB

  • MD5

    c63582cc8c24d69e4bb0829e71f395f3

  • SHA1

    b789bcd4020aa3bd35ad11a2fbe023772b98a648

  • SHA256

    79f721fce9ff531d55a30dca577a8c55790d9a5b88158654e1daee60e4ed014a

  • SHA512

    170c288927099f254a16ad52155e1ebba2067bab3e8b9e771a81b9946ce3c854ff7275b74911ab8e111e32efd667bcd2359aca3effca41d59447fa57df3beaad

  • SSDEEP

    49152:zb30Hlkz8scuXSG6sIr4ulgbRYfbSVfbpQxLK/SejMqzMgJKl:JoBuXL6sIUueFYfb0f1hMqQgUl

Score
10/10
bitratpersistencetrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

jairoandresotalvarorend.linkpc.net:9084

Attributes
  • communication_password

    bfdba24ee3d61f0260c4dc1034c3ee43

  • install_dir

    winlogomdefenerec

  • install_file

    winlogomdefenerec.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: RenamesItself 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c63582cc8c24d69e4bb0829e71f395f3.exe
    "C:\Users\Admin\AppData\Local\Temp\c63582cc8c24d69e4bb0829e71f395f3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4116
    • C:\Users\Admin\AppData\Local\Temp\c63582cc8c24d69e4bb0829e71f395f3.exe
      "C:\Users\Admin\AppData\Local\Temp\c63582cc8c24d69e4bb0829e71f395f3.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2432-29-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-30-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-38-0x0000000074240000-0x0000000074279000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2432-20-0x0000000074580000-0x00000000745B9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2432-22-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-36-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-35-0x0000000074240000-0x0000000074279000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2432-34-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-33-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-32-0x0000000074240000-0x0000000074279000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2432-31-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-28-0x0000000074240000-0x0000000074279000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2432-12-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-13-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-15-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-27-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-18-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-19-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-26-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-37-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-21-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-23-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-24-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2432-25-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/4116-10-0x0000000009590000-0x0000000009780000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4116-17-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4116-11-0x0000000007BA0000-0x0000000007D18000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4116-1-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4116-0-0x0000000000150000-0x00000000003CE000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/4116-3-0x0000000004E30000-0x0000000004EC2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4116-9-0x0000000005090000-0x00000000050A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4116-6-0x0000000004DB0000-0x0000000004DBA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4116-7-0x0000000006D50000-0x0000000006D6A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4116-8-0x0000000074670000-0x0000000074E20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4116-5-0x0000000005090000-0x00000000050A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4116-4-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4116-2-0x00000000053E0000-0x0000000005984000-memory.dmp

    Filesize

    5.6MB

    Download