Analysis Overview
SHA256
9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336
Threat Level: Known bad
The file 9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336 was found to be: Known bad.
Malicious Activity Summary
BitRAT Payload
Bitrat family
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-08 06:12
Signatures
BitRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Bitrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-08 06:12
Reported
2022-05-08 08:29
Platform
win7-20220414-en
Max time kernel
187s
Max time network
203s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe
"C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 159.69.247.120:1234 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.59.81:443 | myexternalip.com | tcp |
| DE | 159.69.247.120:1234 | tcp | |
| US | 34.117.59.81:443 | myexternalip.com | tcp |
Files
memory/1812-54-0x0000000076531000-0x0000000076533000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-08 06:12
Reported
2022-05-08 08:29
Platform
win10v2004-20220414-en
Max time kernel
190s
Max time network
202s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost.exeԀ" | C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe
"C:\Users\Admin\AppData\Local\Temp\9f91c07f8efbac3839267d2780eeeab664ee90ff8c90b1ab838a0377e2713336.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.73:443 | tcp | |
| NL | 20.190.160.129:443 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| GB | 51.105.71.136:443 | tcp | |
| NL | 20.190.160.132:443 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| FR | 2.16.119.157:443 | tcp | |
| FR | 2.16.119.157:443 | tcp | |
| US | 40.125.122.151:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| NL | 20.190.160.69:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| DE | 159.69.247.120:1234 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.59.81:443 | myexternalip.com | tcp |
| DE | 159.69.247.120:1234 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:80 | api.ipify.org | tcp |
| US | 34.117.59.81:443 | myexternalip.com | tcp |
| US | 34.117.59.81:443 | myexternalip.com | tcp |
| DE | 159.69.247.120:1234 | tcp | |
| US | 52.20.78.240:80 | api.ipify.org | tcp |
| US | 34.117.59.81:443 | myexternalip.com | tcp |