Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
-
submitted
05/04/2025, 12:07
General
-
Target
rihuata-main/mbnorad.exe
-
Size
3.8MB
-
MD5
808005572c1c65a4a6166ed83f7180b4
-
SHA1
0c5818685f1a9bfe42dfad3323e964176d245e1c
-
SHA256
1f0279acdb1535a39a82d8a1baaf10e9dc307c043e38f53752e64408b50c58aa
-
SHA512
73cbcd79dfa5de8576afb4900a0a152329c76ac88e0cb2cc2e1c4ab4bae041b2eb04720490a7509e23fc267fcfa37d8dca6df68bb0ffbbf892bb1e7a887be80c
-
SSDEEP
98304:d77Pmq33rE/JDLPWZADUGer7B6iY74M/PmlwXVZ4FB:5+R/eZADUXR
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
31.177.110.225:8080
Attributes
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
install_dir
Appdata
-
install_file
FileManager
-
tor_process
tor
Signatures
-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Bitrat family
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: RenamesItself 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\rihuata-main\mbnorad.exe"C:\Users\Admin\AppData\Local\Temp\rihuata-main\mbnorad.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Appdata\FileManager1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23B
MD53aea26bbb1a80be6defef5e08b785138
SHA147bd5d2600766cb214972441b754fbf0e2e1a458
SHA2562321bd0dcab3570cb4b36871411be2b13d70ccbaca5db547ed054b87ee563684
SHA5121f9bd684b0ee7f3b5a427f4899b86aec322931ad835e2f05c8cebb52a8c03d59f6ad3c7e37fc340035fe3a5b0d891cb626f8f2a32568ff337d656a3a8636a7a9
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
228KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
228KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
3.8MB