Overview

overview

10

Static

static

3

SQLi v.8.5.exe

windows7-x64

10

SQLi v.8.5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 09:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SQLi v.8.5.exe

  • Size

    12.7MB

  • MD5

    d887c03a2d230dc196c8b3ac47030b9e

  • SHA1

    b4d08bf36841ffdeb0750455021a707804f8d509

  • SHA256

    b693010f3f342fb06dd959f2553b7937d5daeaf9b4b7fd800ed5a9a6d8a099e7

  • SHA512

    6cee30d2448b930504f0933ca04e7f30fb3e1f2924d490146c0168308298d222cf5eb83885da405ba8fcd92b7f4979e23b4f9c706c936df5bfb52d2819022072

  • SSDEEP

    196608:OhzlOFCwaHNFrXW+YrDkx/NNYz7vPmHpBt:2zMCwaHNlXW+Y/kx/TyPmj

Score
10/10
bitratpersistencetrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.34

C2

80.85.156.209:8080

Attributes
  • communication_password

    ae5eb824ef87499f644c3f11a7176157

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SQLi v.8.5.exe
    "C:\Users\Admin\AppData\Local\Temp\SQLi v.8.5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Local\Temp\0.exe
      "C:\Users\Admin\AppData\Local\Temp\0.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3068
    • C:\Users\Admin\AppData\Local\Temp\pebloso.exe
      "C:\Users\Admin\AppData\Local\Temp\pebloso.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Users\Admin\AppData\Local\Temp\pebloso.exe
        "C:\Users\Admin\AppData\Local\Temp\pebloso.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1600
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4b4 0x33c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0.exe
    Filesize

    2.3MB

    MD5

    f558500b09118c2d5482c0097d41b986

    SHA1

    ebdd90df103acb0a28a46b4affde511f5b0bb6d0

    SHA256

    4081a78ba280d28c56551983e515486a1dacf9ba26a3e76a71060982cc9e5ed7

    SHA512

    d4bfd969d7e8e0ff7aedf55ea69398ced8bd81dd2bde7e87a79d6890fa4b38d0275ceb8c72e20336d97bff2252cd904e27f8023b93dacf961d7345d18e0e7441

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pebloso.exe
    Filesize

    6.2MB

    MD5

    4d28de913b4b1e07f75c75e3cdd75add

    SHA1

    ce6735e3a3b68b904bda4ea150adfed689b8d18a

    SHA256

    e43d70c273c8c083b5368e6c8dfd74e403a3f6b5e263609497940bb94ecc6f01

    SHA512

    ea7bc0621977f6a9833c28945c41681c065073fb8b63e44118d772f0132dea60c6ed2c5129cb6072d5e315ee82e512bc54686adace9aa979e443b7803aa41a1a

    Download Submit

  • memory/1600-56-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-44-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-71-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-69-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-61-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-48-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-31-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-30-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-32-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-68-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-35-0x0000000074D50000-0x0000000074D89000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1600-36-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-41-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-42-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-43-0x0000000074A30000-0x0000000074A69000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1600-63-0x0000000074A30000-0x0000000074A69000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1600-70-0x0000000074A30000-0x0000000074A69000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1600-64-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-28-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-49-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-50-0x0000000074A30000-0x0000000074A69000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1600-51-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-54-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-55-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-57-0x0000000074A30000-0x0000000074A69000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1600-62-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/1600-58-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2132-0-0x0000000001390000-0x0000000001391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2132-25-0x0000000000400000-0x00000000010C1000-memory.dmp

    Filesize

    12.8MB

    Download

  • memory/3068-24-0x00007FFFEF7E0000-0x00007FFFF02A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3068-15-0x00007FFFEF7E3000-0x00007FFFEF7E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3068-47-0x00007FFFEF7E0000-0x00007FFFF02A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3068-45-0x00007FFFEF7E3000-0x00007FFFEF7E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3068-21-0x0000000000500000-0x000000000075A000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4708-33-0x0000000000400000-0x0000000000A8E000-memory.dmp

    Filesize

    6.6MB

    Download