Overview

overview

10

Static

static

3

d0f8c7eda9...35.exe

windows7-x64

10

d0f8c7eda9...35.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-03-2024 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0f8c7eda9a5e772e3be9c3b67f43e35.exe

  • Size

    4.0MB

  • MD5

    d0f8c7eda9a5e772e3be9c3b67f43e35

  • SHA1

    d73903af0fa940d67c123eb6e6722325e656c9c0

  • SHA256

    29f877de694aa77ca19d69ce15720a139b75f201761df81c70b64354290c87c2

  • SHA512

    d80dcfd2bb53674dca019cba0bed0894030da893d492baa38392ead742adc86e3722a0b0c490352ea263d01d8a8e02a0ed71cda183d3abecdeaca54feb380597

  • SSDEEP

    98304:uVXHrDqvnhfHh5Evm6KdlS522XiFC7o3vUzGJ:WXUhfnmmfz2J7Y

Score
10/10
bitrattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

8.208.27.150:4550

Attributes
  • communication_password

    9996535e07258a7bbfd8b132435c5962

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0f8c7eda9a5e772e3be9c3b67f43e35.exe
    "C:\Users\Admin\AppData\Local\Temp\d0f8c7eda9a5e772e3be9c3b67f43e35.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c
      2⤵
        PID:5028
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:1424
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 188
            3⤵
            • Program crash
            PID:1868
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\rarr\rarr.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4412
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\rarr\rarr.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:4636
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\d0f8c7eda9a5e772e3be9c3b67f43e35.exe" "C:\Users\Admin\AppData\Roaming\rarr\rarr.exe"
          2⤵
            PID:5036
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1424 -ip 1424
          1⤵
            PID:2944
          • C:\Users\Admin\AppData\Roaming\rarr\rarr.exe
            C:\Users\Admin\AppData\Roaming\rarr\rarr.exe
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4124
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c
              2⤵
                PID:4404
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                2⤵
                  PID:3628
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 188
                    3⤵
                    • Program crash
                    PID:1172
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3628 -ip 3628
                1⤵
                  PID:1384

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\rarr\rarr.exe
                  Filesize

                  1.2MB

                  MD5

                  806c3b0a93eeff79e24c1ab337561cbd

                  SHA1

                  089596126178324ab047f64dd346be1abe1367ab

                  SHA256

                  7397400b6fb629c0aa3227495f26614f4630954699fa0227a12141af143e1661

                  SHA512

                  cda936323f85790a20b84cc9c8bc186012eee7f81211990747c50c9af94eff0b001e455f188a99b724adc3d55704be148eeef3c763305a1c16ca96970b06ca1b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\rarr\rarr.exe
                  Filesize

                  1.2MB

                  MD5

                  0c59151a9711e254028e6f7b6dd50a39

                  SHA1

                  ea335ad4cca3e2c78a2f9b7e0c63474e10c11d66

                  SHA256

                  416386bd57a75337e8b32a65f479b21188c4dd1955a60eea21d712bf0b86b0a8

                  SHA512

                  bef8090274d304da223eefef0556bebae20320f6f42441674e0c6f0972ad798cccdb13d8201027826e2e034ab1dd32b9d9dc5f8bf5a45ff824046fad33e95dfd

                  Download Submit

                • memory/1424-15-0x0000000001100000-0x00000000014CE000-memory.dmp

                  Filesize

                  3.8MB

                  Download

                • memory/1424-7-0x0000000001100000-0x00000000014CE000-memory.dmp

                  Filesize

                  3.8MB

                  Download

                • memory/1424-11-0x0000000001100000-0x00000000014CE000-memory.dmp

                  Filesize

                  3.8MB

                  Download

                • memory/2444-16-0x0000000074830000-0x0000000074FE0000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2444-5-0x0000000004F00000-0x0000000004F0A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/2444-4-0x00000000050F0000-0x0000000005100000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2444-0-0x00000000004A0000-0x00000000008A8000-memory.dmp

                  Filesize

                  4.0MB

                  Download

                • memory/2444-3-0x0000000004F10000-0x0000000004FA2000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/2444-17-0x00000000050F0000-0x0000000005100000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2444-2-0x0000000005420000-0x00000000059C4000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/2444-1-0x0000000074830000-0x0000000074FE0000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3628-30-0x0000000000D70000-0x000000000113E000-memory.dmp

                  Filesize

                  3.8MB

                  Download

                • memory/3628-34-0x0000000000D70000-0x000000000113E000-memory.dmp

                  Filesize

                  3.8MB

                  Download

                • memory/4124-23-0x0000000000590000-0x0000000000998000-memory.dmp

                  Filesize

                  4.0MB

                  Download

                • memory/4124-22-0x0000000074830000-0x0000000074FE0000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/4124-24-0x00000000050A0000-0x00000000050B0000-memory.dmp

                  Filesize

                  64KB

                  Download