Overview

overview

10

Static

static

5

4d26e12d17...3c.exe

windows7-x64

10

4d26e12d17...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 00:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d26e12d17a42568aa1f7d4b2f36aa3c.exe

  • Size

    2.0MB

  • MD5

    4d26e12d17a42568aa1f7d4b2f36aa3c

  • SHA1

    c65c6120cb491c683d28cd7d913e062ca71acdf4

  • SHA256

    c3bf75a13d38a48c126476948c06bdfca08ee0bb706a39c5d97f77e6c63fb8ae

  • SHA512

    5dbecb961fd21062cc9fab5ea4ebb22563331bbfb6210b06ef38f9cf5620f26862f1e954659859afcc58d5fdf0a95e2ac968cb574618ae346f167c0e1909d2dd

  • SSDEEP

    49152:ZTvC/MTQYxsWR7afXmpqVyBl8VaLH4QxP6Xw:ljTQYxsWR+mpqVA2YD466X

Score
10/10
bitrattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

MyBtrpub.dynuddns.com:8889

Attributes
  • communication_password

    cba52b50d9cf77a308a6bedcd075f95e

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d26e12d17a42568aa1f7d4b2f36aa3c.exe
    "C:\Users\Admin\AppData\Local\Temp\4d26e12d17a42568aa1f7d4b2f36aa3c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:2696
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
          PID:2360
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          2⤵
            PID:2464
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            2⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2132

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2132-52-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-83-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-49-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-33-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-35-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-36-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-38-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-44-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-45-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-46-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-48-0x0000000000170000-0x000000000017A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2132-47-0x0000000000170000-0x000000000017A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2132-91-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-87-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-62-0x0000000000170000-0x000000000017A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2132-53-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-55-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-58-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-50-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-61-0x0000000000170000-0x000000000017A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2132-63-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-67-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-71-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-75-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2132-79-0x0000000000290000-0x000000000065E000-memory.dmp
          Filesize

          3.8MB

          Download
        • memory/2360-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2464-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2696-24-0x0000000000270000-0x000000000063E000-memory.dmp
          Filesize

          3.8MB

          Download