Overview

overview

10

Static

static

3

21434ba1af...18.exe

windows7-x64

10

21434ba1af...18.exe

windows10-2004-x64

10

AmazonGamesSetup.exe

windows7-x64

6

AmazonGamesSetup.exe

windows10-2004-x64

6

LIXVoWXPPCyc5Jy.exe

windows7-x64

10

LIXVoWXPPCyc5Jy.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LIXVoWXPPCyc5Jy.exe

  • Size

    2.5MB

  • MD5

    cef6d09b553a93f81942da9838b1ac57

  • SHA1

    c32fbf54b54dadabbae600645c417c163234daf5

  • SHA256

    d9aa21479a1a55d57839aee6310cd6853b2bc5215337aa72316a96f7be7ff3e5

  • SHA512

    05ed612b7d2e14b034a391d45b578e0eda2b52be3b8eeccb3534872de61d05d95b4b3e7f10bfa01ef6913d29a24404c8cf635c804f9fbe2820321078d1007928

  • SSDEEP

    49152:SoSto6fCl0KeaNs68/bXvlM28MTVTc6hhCkJNV8VicCFiO1:S9+0P9/rBRVTpIkJN+YcLO

Score
10/10
bitrattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.34

C2

curtisusa.hopto.org:5215

Attributes
  • communication_password

    ee342c2505c08512ed898d3855498f1a

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe
    "C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AGbGTkAzcl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2700
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "{path}"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp
    Filesize

    1KB

    MD5

    8b5857f528414e7a411f2e387703bb34

    SHA1

    c2c11c832dd6a4f792a35d9eee815b557549afdb

    SHA256

    98eb38f9fe051a3f86c8e39fd5720ab088809c76e20c5bd37c9ce952d0c3c928

    SHA512

    422ce404785b3b5293e30fc18a742aa4dab2b8593103b4058454ba8f1a38271c4d2949f5d60fad555ce91b835270869fa8b0645be23acfbe60e108cb2269f783

    Download Submit

  • memory/2336-21-0x00000000743D0000-0x000000007497B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2336-1-0x00000000743D0000-0x000000007497B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2336-2-0x00000000743D0000-0x000000007497B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2336-3-0x00000000743D0000-0x000000007497B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2336-4-0x00000000743D0000-0x000000007497B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2336-5-0x00000000743D0000-0x000000007497B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2336-0-0x00000000743D1000-0x00000000743D2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2568-23-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-26-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-19-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-17-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-12-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-11-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2568-9-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-18-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-22-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-16-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-29-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-27-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-20-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-30-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-31-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-32-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-33-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-35-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-34-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-36-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-37-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-38-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-39-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-41-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-40-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-42-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2568-43-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download