Play interactive tourEdit tour
Windows Analysis Report Dkvunfebdprvvugtyhevcozxmecjaaclna.exe
Overview
General Information
Detection
BitRAT
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Yara detected BitRAT
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Machine Learning detection for sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Installs a global mouse hook
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: BitRat |
---|
{"Host": "u876134.nvpn.to", "Port": "2405", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "b8f58c3067916bbfb50766aa8bddd42c", "Tor Process Name": "tor"}
Yara Overview |
---|
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Methodology_Contains_Shortcut_OtherURIhandlers | Detects possible shortcut usage for .URL persistence | @itsreallynick (Nick Carr) |
|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security | ||
JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security | ||
JoeSecurity_BitRAT | Yara detected BitRAT | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | Code function: | 17_2_10425782 |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Windows user hook set: | Jump to behavior |
Source: | Static PE information: |
Source: | Matched rule: |
Source: | Code function: | 0_3_03500A8C | |
Source: | Code function: | 17_2_104170B3 | |
Source: | Code function: | 17_2_104213B9 | |
Source: | Code function: | 17_2_1069C54E | |
Source: | Code function: | 17_2_1041EA72 | |
Source: | Code function: | 17_2_1069DCD0 |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process created: |
Source: | Dropped File: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | Code function: | 17_2_10432D5E |
Source: | Process created: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Code function: | 0_3_034E0BBD | |
Source: | Code function: | 0_3_034F8B3B | |
Source: | Code function: | 0_3_034FAB44 | |
Source: | Code function: | 0_3_034EBB5A | |
Source: | Code function: | 0_3_034F9BF6 | |
Source: | Code function: | 0_3_034E9A09 | |
Source: | Code function: | 0_3_034EC2CC | |
Source: | Code function: | 0_3_034F620C | |
Source: | Code function: | 0_3_0351717C | |
Source: | Code function: | 0_3_034D2177 | |
Source: | Code function: | 0_3_034E023E | |
Source: | Code function: | 0_3_034FA070 | |
Source: | Code function: | 0_3_034E2841 | |
Source: | Code function: | 0_3_034E2885 | |
Source: | Code function: | 0_3_034E2721 | |
Source: | Code function: | 0_3_034EA7DF | |
Source: | Code function: | 0_3_034EC68B | |
Source: | Code function: | 0_3_0350166F | |
Source: | Code function: | 0_3_034D2F2A | |
Source: | Code function: | 0_3_034F9580 | |
Source: | Code function: | 0_3_034DA5A8 | |
Source: | Code function: | 0_3_034F7DE0 | |
Source: | Code function: | 0_3_034ECC3B | |
Source: | Code function: | 0_3_034F9C30 | |
Source: | Code function: | 0_3_034D9DBA | |
Source: | Code function: | 0_3_034E24C5 | |
Source: | Code function: | 0_3_034F6D17 | |
Source: | Code function: | 0_3_03508490 | |
Source: | Code function: | 17_2_1069A4BC | |
Source: | Code function: | 17_2_1069B499 | |
Source: | Code function: | 17_2_106C9C5A |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 17_2_107F2730 |
Source: | Static PE information: |
Persistence and Installation Behavior: |
---|
Uses cmd line tools excessively to alter registry or file data | Show sources |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: | Process created: |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Code function: | 17_2_104190D7 |
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Anti Debugging: |
---|
Hides threads from debuggers | Show sources |
Source: | Thread information set: | Jump to behavior | ||
Source: | Thread information set: | Jump to behavior | ||
Source: | Thread information set: | Jump to behavior | ||
Source: | Thread information set: | Jump to behavior | ||
Source: | Thread information set: | Jump to behavior |
Source: | Code function: | 17_2_106A4A7C |
Source: | Code function: | 17_2_107F2730 |
Source: | Code function: | 17_2_1041F6F5 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 17_2_106B482C |
Source: | Code function: | 0_3_034D8164 |
Source: | Code function: | 17_2_1069A7EA | |
Source: | Code function: | 17_2_106A4A7C |
HIPS / PFW / Operating System Protection Evasion: |
---|
Writes to foreign memory regions | Show sources |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Injects a PE file into a foreign processes | Show sources |
Source: | Memory written: | Jump to behavior |
Creates a thread in another existing process (thread injection) | Show sources |
Source: | Thread created: | Jump to behavior | ||
Source: | Thread created: | Jump to behavior | ||
Source: | Thread created: | Jump to behavior | ||
Source: | Thread created: | Jump to behavior | ||
Source: | Thread created: | Jump to behavior | ||
Source: | Thread created: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 17_2_1041EA72 |
Source: | Key value queried: | Jump to behavior |
Source: | Code function: | 17_2_1042369B |
Stealing of Sensitive Information: |
---|