Malware Analysis Report

2025-06-16 03:22

Sample ID 220508-t9f2naffbm
Target 977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512
SHA256 977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512
Tags
bitrat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512

Threat Level: Known bad

The file 977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512 was found to be: Known bad.

Malicious Activity Summary

bitrat trojan upx

BitRAT

BitRAT Payload

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-08 16:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-08 16:45

Reported

2022-05-08 18:55

Platform

win7-20220414-en

Max time kernel

158s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe"

Signatures

BitRAT

trojan bitrat

BitRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.vbs C:\Windows\SysWOW64\notepad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1768 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Windows\SysWOW64\notepad.exe
PID 1768 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Windows\SysWOW64\notepad.exe
PID 1768 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Windows\SysWOW64\notepad.exe
PID 1768 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Windows\SysWOW64\notepad.exe
PID 1768 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Windows\SysWOW64\notepad.exe
PID 1768 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Windows\SysWOW64\notepad.exe
PID 1768 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe
PID 1768 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe
PID 1768 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe
PID 1768 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe
PID 1944 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe
PID 1944 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe
PID 1944 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe
PID 1944 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe

"C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe

"C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe"

C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe

"C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49190 tcp
DE 81.7.11.186:443 tcp
DE 54.36.237.163:443 tcp
DE 94.130.104.48:443 tcp
FR 217.70.190.250:443 tcp
DE 148.251.11.21:443 tcp
FR 217.70.190.250:443 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
US 34.117.59.81:443 myexternalip.com tcp
US 34.117.59.81:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
US 34.117.59.81:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
US 34.117.59.81:443 myexternalip.com tcp
US 34.117.59.81:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
US 34.117.59.81:443 myexternalip.com tcp
US 34.117.59.81:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
US 34.117.59.81:443 myexternalip.com tcp
US 34.117.59.81:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
US 34.117.59.81:443 myexternalip.com tcp
US 34.117.59.81:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
US 34.117.59.81:443 myexternalip.com tcp
US 34.117.59.81:443 myexternalip.com tcp

Files

memory/1768-54-0x0000000075C01000-0x0000000075C03000-memory.dmp

memory/1768-56-0x00000000003E0000-0x00000000003F3000-memory.dmp

memory/1668-57-0x0000000000000000-mapping.dmp

memory/1944-59-0x000000000063338C-mapping.dmp

memory/1944-60-0x0000000000400000-0x0000000000BF6000-memory.dmp

\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/1584-64-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\04719c1b\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

\Users\Admin\AppData\Local\04719c1b\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\04719c1b\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

\Users\Admin\AppData\Local\04719c1b\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\04719c1b\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

\Users\Admin\AppData\Local\04719c1b\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\04719c1b\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\04719c1b\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

\Users\Admin\AppData\Local\04719c1b\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\04719c1b\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\04719c1b\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

\Users\Admin\AppData\Local\04719c1b\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\04719c1b\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\04719c1b\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\04719c1b\tor\torrc

MD5 a54d7b12e949e38630927b98231a3a5d
SHA1 cecce9b25ffa2b81dc89062393b6bbbe81f23ea7
SHA256 831fcb80185016f9923d10b033b00faab0143a80ed185a3c756dfb7a04bde596
SHA512 df3645f57eaa8a98794825275af0afebc4101367e579a293e41f1fe1de4442599930d625a18b74d8fa8a86d81cb906c1556170114afc71656c4efef289e01f99

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-08 16:45

Reported

2022-05-08 18:55

Platform

win10v2004-20220414-en

Max time kernel

170s

Max time network

197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe"

Signatures

BitRAT

trojan bitrat

BitRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.vbs C:\Windows\SysWOW64\notepad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A
N/A myexternalip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4884 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Windows\SysWOW64\notepad.exe
PID 4884 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Windows\SysWOW64\notepad.exe
PID 4884 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Windows\SysWOW64\notepad.exe
PID 4884 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Windows\SysWOW64\notepad.exe
PID 4884 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Windows\SysWOW64\notepad.exe
PID 4884 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe
PID 4884 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe
PID 4884 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe
PID 4272 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe
PID 4272 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe
PID 4272 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe

"C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe"

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe

"C:\Users\Admin\AppData\Local\Temp\977e77a71bd6293c1b6f3e5edd83657120bed93680256923682c0ae0a7dc8512.exe"

C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe

"C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe" -f torrc

Network

Country Destination Domain Proto
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 13.89.178.26:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
GB 92.123.140.25:80 tcp
N/A 127.0.0.1:49760 tcp
FR 163.172.139.104:443 tcp
N/A 127.0.0.1:45808 tcp
SE 171.25.193.25:443 tcp
US 199.249.230.83:443 tcp
HK 45.154.98.13:443 tcp
DE 81.30.158.121:443 tcp
US 172.241.140.247:443 tcp
FR 20.40.129.122:443 tcp
FR 20.40.129.122:443 tcp
FR 20.40.129.122:443 tcp
DE 81.30.158.121:443 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:45808 tcp
US 8.8.8.8:53 myexternalip.com udp
N/A 127.0.0.1:45808 tcp
US 34.117.59.81:443 myexternalip.com tcp
US 34.117.59.81:443 myexternalip.com tcp
US 34.117.59.81:443 myexternalip.com tcp
US 34.117.59.81:443 myexternalip.com tcp
N/A 127.0.0.1:45808 tcp
US 34.117.59.81:443 myexternalip.com tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp

Files

memory/4884-131-0x0000000001070000-0x0000000001083000-memory.dmp

memory/4860-132-0x0000000000000000-mapping.dmp

memory/4272-133-0x0000000000000000-mapping.dmp

memory/4272-134-0x0000000000400000-0x0000000000BF6000-memory.dmp

memory/4532-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\04719c1b\tor\svhost.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

C:\Users\Admin\AppData\Local\04719c1b\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\04719c1b\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\04719c1b\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\04719c1b\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\04719c1b\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

C:\Users\Admin\AppData\Local\04719c1b\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

C:\Users\Admin\AppData\Local\04719c1b\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

C:\Users\Admin\AppData\Local\04719c1b\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\04719c1b\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\04719c1b\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

C:\Users\Admin\AppData\Local\04719c1b\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

C:\Users\Admin\AppData\Local\04719c1b\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\04719c1b\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

C:\Users\Admin\AppData\Local\04719c1b\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\04719c1b\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\04719c1b\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

C:\Users\Admin\AppData\Local\04719c1b\tor\torrc

MD5 a54d7b12e949e38630927b98231a3a5d
SHA1 cecce9b25ffa2b81dc89062393b6bbbe81f23ea7
SHA256 831fcb80185016f9923d10b033b00faab0143a80ed185a3c756dfb7a04bde596
SHA512 df3645f57eaa8a98794825275af0afebc4101367e579a293e41f1fe1de4442599930d625a18b74d8fa8a86d81cb906c1556170114afc71656c4efef289e01f99