Analysis Overview
SHA256
ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e
Threat Level: Known bad
The file ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e was found to be: Known bad.
Malicious Activity Summary
BitRAT Payload
BitRAT
UPX packed file
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-08 06:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-08 06:14
Reported
2022-05-08 08:29
Platform
win7-20220414-en
Max time kernel
160s
Max time network
175s
Command Line
Signatures
BitRAT
BitRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1052 set thread context of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe | C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe
"C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"
C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe
"C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"
Network
| Country | Destination | Domain | Proto |
| SE | 45.148.17.42:49361 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.59.81:443 | myexternalip.com | tcp |
Files
memory/1052-54-0x0000000000950000-0x0000000000B1A000-memory.dmp
memory/1052-55-0x0000000004D90000-0x0000000004F5E000-memory.dmp
memory/1052-56-0x0000000000380000-0x0000000000394000-memory.dmp
memory/1564-57-0x0000000000400000-0x0000000000801000-memory.dmp
memory/1564-58-0x0000000000400000-0x0000000000801000-memory.dmp
memory/1564-60-0x0000000000400000-0x0000000000801000-memory.dmp
memory/1564-61-0x0000000000400000-0x0000000000801000-memory.dmp
memory/1564-62-0x00000000007FFCD0-mapping.dmp
memory/1564-63-0x0000000000400000-0x0000000000801000-memory.dmp
memory/1564-64-0x0000000000400000-0x0000000000801000-memory.dmp
memory/1564-65-0x0000000000400000-0x0000000000801000-memory.dmp
memory/1564-66-0x00000000752D1000-0x00000000752D3000-memory.dmp
memory/1564-67-0x0000000000400000-0x0000000000801000-memory.dmp
memory/1564-68-0x0000000004BB0000-0x0000000005BB0000-memory.dmp
memory/1564-69-0x0000000005C20000-0x0000000006C20000-memory.dmp
memory/1564-70-0x0000000005C20000-0x0000000006C20000-memory.dmp
memory/1564-71-0x0000000005C20000-0x0000000006C20000-memory.dmp
memory/1564-72-0x0000000005C20000-0x0000000006C20000-memory.dmp
memory/1564-73-0x0000000005C20000-0x0000000006C20000-memory.dmp
memory/1564-74-0x0000000005C20000-0x0000000006C20000-memory.dmp
memory/1564-75-0x0000000005C20000-0x0000000006C20000-memory.dmp
memory/1564-76-0x0000000005C20000-0x0000000006C20000-memory.dmp
memory/1564-77-0x0000000005C20000-0x0000000006C20000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-08 06:14
Reported
2022-05-08 08:31
Platform
win10v2004-20220414-en
Max time kernel
208s
Max time network
211s
Command Line
Signatures
BitRAT
BitRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2408 set thread context of 5108 | N/A | C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe | C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe
"C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"
C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe
"C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"
C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe
"C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"
C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe
"C:\Users\Admin\AppData\Local\Temp\ac34cd73c656e9f130c52e0d2a7c962e77c205bce96aa02532f06cd13067eb6e.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 52.178.17.2:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa | udp |
| US | 185.199.108.133:443 | tcp | |
| US | 185.199.108.133:443 | tcp |
Files
memory/2408-130-0x0000000000D50000-0x0000000000F1A000-memory.dmp
memory/1096-131-0x0000000000000000-mapping.dmp
memory/5088-132-0x0000000000000000-mapping.dmp
memory/5108-133-0x0000000000000000-mapping.dmp
memory/5108-134-0x0000000000400000-0x0000000000801000-memory.dmp
memory/5108-135-0x0000000000400000-0x0000000000801000-memory.dmp
memory/5108-136-0x0000000000400000-0x0000000000801000-memory.dmp
memory/5108-137-0x0000000000400000-0x0000000000801000-memory.dmp
memory/5108-138-0x0000000000400000-0x0000000000801000-memory.dmp
memory/5108-139-0x0000000004590000-0x0000000005590000-memory.dmp
memory/5108-140-0x0000000004590000-0x0000000005590000-memory.dmp
memory/5108-141-0x0000000004590000-0x0000000005590000-memory.dmp
memory/5108-142-0x0000000004590000-0x0000000005590000-memory.dmp
memory/5108-143-0x0000000004590000-0x0000000005590000-memory.dmp
memory/5108-144-0x0000000004590000-0x0000000005590000-memory.dmp
memory/5108-145-0x0000000004590000-0x0000000005590000-memory.dmp
memory/5108-146-0x0000000004590000-0x0000000005590000-memory.dmp
memory/5108-147-0x0000000004590000-0x0000000005590000-memory.dmp
memory/5108-148-0x00000000045A0000-0x00000000055A0000-memory.dmp
memory/5108-149-0x00000000045B0000-0x00000000055B0000-memory.dmp
memory/5108-150-0x00000000045C0000-0x00000000055C0000-memory.dmp
memory/5108-151-0x00000000045D0000-0x00000000055D0000-memory.dmp
memory/5108-152-0x00000000045E0000-0x00000000055E0000-memory.dmp
memory/5108-153-0x00000000045F0000-0x00000000055F0000-memory.dmp
memory/5108-154-0x0000000004600000-0x0000000005600000-memory.dmp