Overview

overview

10

Static

static

10

23ac6a9a61...in.exe

windows7-x64

10

23ac6a9a61...in.exe

windows10-1703-x64

10

23ac6a9a61...in.exe

windows10-2004-x64

10

23ac6a9a61...in.exe

windows11-21h2-x64

10

Resubmissions

09-04-2024 13:11

240409-qe3emafg95 10

09-04-2024 13:11

240409-qe2s4afg94 10

09-04-2024 13:10

240409-qegg6aba8y 10

09-04-2024 13:10

240409-qefwmafg75 10

10-07-2021 10:36

210710-89hyhpsaw6 9

Analysis

  • max time kernel
    1199s
  • max time network
    1200s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    09-04-2024 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23ac6a9a61ddc568b82e23d19873e1756be1450cd9989f698be3d18f083f24aa.bin.exe

  • Size

    5.2MB

  • MD5

    0bff2eb7cf8fbbf17ff6594b09101e3b

  • SHA1

    bfa77a5afa5d45aa178edc14361ca2a5825c96f5

  • SHA256

    23ac6a9a61ddc568b82e23d19873e1756be1450cd9989f698be3d18f083f24aa

  • SHA512

    0861b861e3579ea7867515cea737f811b28bdc689fe24a8e89d1cd9c47d621eb76488a444406d604e0ac860d5f4a8ec73d931828d4281372ad7827af61e73f13

  • SSDEEP

    98304:3mcwWGj36qlPEo+AiJGIvKL10DGXPXbgkIjqNFHBAMSEFkU9WFn5fG2iD8ND3+P:2BP7lPEo+Phu3LjIjqjHBqEFPEF579Nr

Score
10/10
bitratpersistencetrojanupx

Malware Config

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • BitRAT payload 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 7 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • UPX packed file 34 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 64 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: RenamesItself 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23ac6a9a61ddc568b82e23d19873e1756be1450cd9989f698be3d18f083f24aa.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\23ac6a9a61ddc568b82e23d19873e1756be1450cd9989f698be3d18f083f24aa.bin.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies system certificate store
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Users\Admin\AppData\Local\e0c93a5e\tor\javaupdate.exe
      "C:\Users\Admin\AppData\Local\e0c93a5e\tor\javaupdate.exe" -f torrc
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\e0c93a5e\tor\data\cached-microdescs.new
    Filesize

    11.3MB

    MD5

    ba5ebc3ac8966d9caaef0c3ddf0738dd

    SHA1

    3de55c15dd2d257acab709321c0c197fe9d6400e

    SHA256

    421c1c92285305a3115bbcea088e97c634e59a98a2eeb6e6e9bc45139c38f945

    SHA512

    a3df69a24340a4ed78b02c7e6b464f23309150dec8a272e65e053e4f6f0435e2d2f23c67f9a1227c9773c83b52a8083720b526b7d99000ebd4f4293c353ae08e

    Download Submit
  • C:\Users\Admin\AppData\Local\e0c93a5e\tor\data\unverified-microdesc-consensus
    Filesize

    2.6MB

    MD5

    cc74fe855429ddc5afd0492c81a99ed3

    SHA1

    9f01e7f41fe661b9d0ea01b5618d3ca142e0e9c8

    SHA256

    d4244a317932d44c7cdc64bf716a1452c61bfafd28b8ab0fa85fb785725e8dbc

    SHA512

    4a11e0b81b9714e42841ff7744a1baedc8396589cd275ce0627502c5e9582ecdb279602325c01a07616d5d1e4c635ae9aa12353e3273c310e735c480a3f9c442

    Download Submit
  • C:\Users\Admin\AppData\Local\e0c93a5e\tor\libcrypto-1_1.dll
    Filesize

    1.7MB

    MD5

    2384a02c4a1f7ec481adde3a020607d3

    SHA1

    7e848d35a10bf9296c8fa41956a3daa777f86365

    SHA256

    c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369

    SHA512

    1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

    Download Submit
  • C:\Users\Admin\AppData\Local\e0c93a5e\tor\libevent-2-1-6.dll
    Filesize

    366KB

    MD5

    099983c13bade9554a3c17484e5481f1

    SHA1

    a84e69ad9722f999252d59d0ed9a99901a60e564

    SHA256

    b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838

    SHA512

    89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

    Download Submit
  • C:\Users\Admin\AppData\Local\e0c93a5e\tor\libssl-1_1.dll
    Filesize

    439KB

    MD5

    c88826ac4bb879622e43ead5bdb95aeb

    SHA1

    87d29853649a86f0463bfd9ad887b85eedc21723

    SHA256

    c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f

    SHA512

    f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

    Download Submit
  • C:\Users\Admin\AppData\Local\e0c93a5e\tor\libssp-0.dll
    Filesize

    88KB

    MD5

    2c916456f503075f746c6ea649cf9539

    SHA1

    fa1afc1f3d728c89b2e90e14ca7d88b599580a9d

    SHA256

    cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6

    SHA512

    1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

    Download Submit
  • C:\Users\Admin\AppData\Local\e0c93a5e\tor\libwinpthread-1.dll
    Filesize

    188KB

    MD5

    d407cc6d79a08039a6f4b50539e560b8

    SHA1

    21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71

    SHA256

    92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e

    SHA512

    378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

    Download Submit
  • C:\Users\Admin\AppData\Local\e0c93a5e\tor\torrc
    Filesize

    139B

    MD5

    b5bb1313df0efb6309cbb9e97b992636

    SHA1

    ade9cd0aaf21358b4018f1c7350910442c252bae

    SHA256

    58b5958bc1a62b6a4e48d5ecf9773a87ff8c23d8736d7695b13ba158a57e9bae

    SHA512

    e8fea7789af8ed5173461c3e40cf4af0990c0aa042bfec51b87084b09e3d6ba0130c27b6c959dc505ff3fea72b4593d12c06fbb5c453581efcdc77693d40e292

    Download Submit
  • C:\Users\Admin\AppData\Local\e0c93a5e\tor\zlib1.dll
    Filesize

    52KB

    MD5

    add33041af894b67fe34e1dc819b7eb6

    SHA1

    6db46eb021855a587c95479422adcc774a272eeb

    SHA256

    8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

    SHA512

    bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

    Download Submit
  • \Users\Admin\AppData\Local\e0c93a5e\tor\javaupdate.exe
    Filesize

    973KB

    MD5

    5cfe61ff895c7daa889708665ef05d7b

    SHA1

    5e58efe30406243fbd58d4968b0492ddeef145f2

    SHA256

    f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5

    SHA512

    43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

    Download Submit
  • \Users\Admin\AppData\Local\e0c93a5e\tor\libgcc_s_sjlj-1.dll
    Filesize

    286KB

    MD5

    b0d98f7157d972190fe0759d4368d320

    SHA1

    5715a533621a2b642aad9616e603c6907d80efc4

    SHA256

    2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5

    SHA512

    41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

    Download Submit
  • memory/948-83-0x0000000004080000-0x0000000004484000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/948-114-0x00000000002D0000-0x00000000002DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-1154-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-1134-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-1202-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-1106-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-1105-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-1080-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-1006-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-0-0x0000000000400000-0x0000000000D54000-memory.dmp
    Filesize

    9.3MB

    Download
  • memory/948-834-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-1222-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-15-0x0000000004080000-0x0000000004484000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/948-825-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-786-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-750-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-730-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-710-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-82-0x0000000000400000-0x0000000000D54000-memory.dmp
    Filesize

    9.3MB

    Download
  • memory/948-460-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-638-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-613-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-555-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-532-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-506-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-1185-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-113-0x00000000002D0000-0x00000000002DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-507-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-481-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-140-0x00000000002D0000-0x00000000002DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-141-0x00000000002D0000-0x00000000002DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-482-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-483-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-172-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-173-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-190-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-226-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-246-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-247-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-268-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-318-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-319-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-337-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-336-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-357-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-374-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-375-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-398-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-431-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/948-459-0x0000000000F40000-0x0000000000F4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1956-46-0x0000000074CA0000-0x0000000074F6F000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/1956-153-0x0000000000D90000-0x0000000001194000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1956-142-0x0000000000D90000-0x0000000001194000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1956-132-0x0000000000D90000-0x0000000001194000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1956-118-0x0000000000D90000-0x0000000001194000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1956-105-0x0000000000D90000-0x0000000001194000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1956-94-0x0000000000D90000-0x0000000001194000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1956-93-0x00000000011A0000-0x00000000015A4000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1956-85-0x0000000000D90000-0x0000000001194000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1956-84-0x0000000000D90000-0x0000000001194000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1956-73-0x00000000749F0000-0x0000000074ABE000-memory.dmp
    Filesize

    824KB

    Download
  • memory/1956-71-0x0000000074AC0000-0x0000000074BCA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1956-70-0x0000000074BD0000-0x0000000074C98000-memory.dmp
    Filesize

    800KB

    Download
  • memory/1956-69-0x0000000075200000-0x0000000075249000-memory.dmp
    Filesize

    292KB

    Download
  • memory/1956-67-0x0000000000D90000-0x0000000001194000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1956-47-0x00000000011A0000-0x00000000015A4000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1956-45-0x00000000011A0000-0x00000000015A4000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1956-44-0x00000000011A0000-0x00000000015A4000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1956-43-0x00000000752A0000-0x00000000752C4000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1956-42-0x00000000749F0000-0x0000000074ABE000-memory.dmp
    Filesize

    824KB

    Download
  • memory/1956-38-0x0000000075170000-0x00000000751F8000-memory.dmp
    Filesize

    544KB

    Download
  • memory/1956-37-0x0000000074AC0000-0x0000000074BCA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1956-31-0x0000000000D90000-0x0000000001194000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1956-32-0x0000000075200000-0x0000000075249000-memory.dmp
    Filesize

    292KB

    Download
  • memory/1956-36-0x0000000074BD0000-0x0000000074C98000-memory.dmp
    Filesize

    800KB

    Download