Overview

overview

10

Static

static

3

AmazonSetup.exe

windows7-x64

10

AmazonSetup.exe

windows10-2004-x64

10

AmazonGamesSetup.exe

windows7-x64

6

AmazonGamesSetup.exe

windows10-2004-x64

6

LIXVoWXPPCyc5Jy.exe

windows7-x64

10

LIXVoWXPPCyc5Jy.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    248950cf7a2d01e99e1e815c7dc5b28c_JaffaCakes118

  • Size

    2.8MB

  • Sample

    240704-ee672avenb

  • MD5

    248950cf7a2d01e99e1e815c7dc5b28c

  • SHA1

    1a7769c3996c2910fa22bd33f3a346e92b3c336b

  • SHA256

    18f501c16c958abd19fafa10b1fb5baac2387a51807eb9229fa1cbe4a663b9b6

  • SHA512

    140d73e524d0972f5a48dab8a970c2ce47e13f3182325b733d411a4f680f5cc8486ae6a5c24808c445e2d8828409eceebbefc3a4e5e58f336c2e3218a438bfa8

  • SSDEEP

    49152:ESeo65Ct0m42NzeP/HIvWV2hyVZelukZCWaOtBVxRQL73qPvqQ39dqp6b7t:qe0sK/6RqZeJAWaOj/RuUCQgAN

Score
10/10
bitratdiscoverytrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.34

C2

curtisusa.hopto.org:5215

Attributes
  • communication_password

    ee342c2505c08512ed898d3855498f1a

  • tor_process

    tor

Targets

    • Target

      AmazonSetup.exe

    • Size

      2.8MB

    • MD5

      21434ba1af9e80e0bb9d4e49e643d269

    • SHA1

      c460ce1a3fd7c3c5af78ab01a18bc62bcf3a8c8b

    • SHA256

      aa79d46aa459af0d46da380af6481f51369da4c4080a009028e83857dcd844f2

    • SHA512

      012a96b51ee1cefa86c0bfca56f0fe2a0e3d7ec061fa6868184234338dd5f2329bc0de2298d4a782c3e2bdb4bd665fd373adad6f28f26c2c6439972280d9d7b8

    • SSDEEP

      49152:AS4o6fCn0IO2N7Sb/h0vQV2vMHZYd6GZC+8qBBVRlEt73LfsL6kVOSo3dAf2doBn:AG0aw/8HWZY/A+8qvfli7fsLHgSw7G5P

    Score
    10/10
    bitrattrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      AmazonGamesSetup.exe

    • Size

      1.8MB

    • MD5

      02be3726c0a90958a3c30577d3b3a131

    • SHA1

      bedbab8bd74a9d7313ba32ca033c81ec32c04706

    • SHA256

      1a99f1054e51fe86416c59e5c526d69776fdabd7bb9831dbaab8582322121c7a

    • SHA512

      662eaa8d3b112ef981d27832a2a46b0ecb55e2d1dcf49fe1fbd134e3c4e02758bc9ad3db2e25f53fc174e2083dd278967f405a768fdd814612c9a43bc6d1c713

    • SSDEEP

      49152:G/mvl+01HHWra6IjgKDlUzIzsBKLxYqJKevCnuueO+0D17gM8s:bvUAnWrBq1ABzH

    Score
    6/10
    discovery

    • Downloads MZ/PE file

    behavioral3behavioral4

    • Target

      LIXVoWXPPCyc5Jy.exe

    • Size

      2.5MB

    • MD5

      cef6d09b553a93f81942da9838b1ac57

    • SHA1

      c32fbf54b54dadabbae600645c417c163234daf5

    • SHA256

      d9aa21479a1a55d57839aee6310cd6853b2bc5215337aa72316a96f7be7ff3e5

    • SHA512

      05ed612b7d2e14b034a391d45b578e0eda2b52be3b8eeccb3534872de61d05d95b4b3e7f10bfa01ef6913d29a24404c8cf635c804f9fbe2820321078d1007928

    • SSDEEP

      49152:SoSto6fCl0KeaNs68/bXvlM28MTVTc6hhCkJNV8VicCFiO1:S9+0P9/rBRVTpIkJN+YcLO

    Score
    10/10
    bitrattrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks