Overview

overview

10

Static

static

3

221b9.exe

windows10-2004-x64

10

2c42a36d7.exe

windows10-2004-x64

10

2da5f7422573.exe

windows10-2004-x64

3

3fcc16.exe

windows10-2004-x64

3

4772.exe

windows10-2004-x64

10

6c1a.exe

windows10-2004-x64

10

79330.exe

windows10-2004-x64

10

afc500c.exe

windows10-2004-x64

8

ef62b5a6474.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/03/2025, 18:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c1a.exe

  • Size

    2.9MB

  • MD5

    2342f3d5723d354f19844400bfc63b8f

  • SHA1

    535009ed27ed4364493cecd0d871c0e45505a21f

  • SHA256

    b88e6baf28fcfa45e9f951160e8dc0b017218171d4c4636fb628136c2bf6c1ac

  • SHA512

    1a0fc9d77d19d5fe1243e348b4a4938518e429ce92f3bbe453a9f0116fc5c21f78df6a7af24419fb45b0f5c322a0bcbf63ec7552758fccc9e92b713b4caee10a

  • SSDEEP

    24576:CaiYyi79nghoOKuvA2lrCuFWzYUKcqLcVFNT7zl3Xr4cqtBCGMUSDqH5uVBDcwDM:Qoig3DFHWfypES55XtB5Yg8KdaO

Score
10/10
bitratdiscoverypersistencetrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

62.210.11.126:9024

Attributes
  • communication_password

    57e9678c1972887ccb37a6296021d65d

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Bitrat family
    bitrat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c1a.exe
    "C:\Users\Admin\AppData\Local\Temp\6c1a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3784
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2424-31-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-25-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-40-0x00000000751D0000-0x0000000075209000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2424-39-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-38-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-37-0x00000000751D0000-0x0000000075209000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2424-36-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-35-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-34-0x0000000074E30000-0x0000000074E69000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2424-10-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-11-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-13-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-15-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-12-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-33-0x00000000751D0000-0x0000000075209000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2424-18-0x0000000074E30000-0x0000000074E69000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2424-32-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-26-0x00000000751D0000-0x0000000075209000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2424-19-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-27-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-29-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-28-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2424-30-0x00000000751D0000-0x0000000075209000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3784-1-0x0000000000870000-0x0000000000B60000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3784-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3784-16-0x0000000074F20000-0x00000000756D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3784-8-0x0000000006270000-0x00000000065C4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3784-7-0x00000000059E0000-0x0000000005A02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3784-6-0x0000000074F20000-0x00000000756D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3784-5-0x00000000060F0000-0x0000000006266000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3784-4-0x00000000057D0000-0x00000000059DC000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3784-3-0x0000000005530000-0x00000000055C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3784-2-0x0000000005A40000-0x0000000005FE4000-memory.dmp

    Filesize

    5.6MB

    Download