Malware Analysis Report

2025-06-16 03:22

Sample ID 220510-mpd81abcdl
Target 481af38f33f4dc59c30d304ce466c4f0.exe
SHA256 39b2d2d422f4f87347f8b91009544a91115af8203fdb0afa7bf7f57cdec531e7
Tags
bitrat suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39b2d2d422f4f87347f8b91009544a91115af8203fdb0afa7bf7f57cdec531e7

Threat Level: Known bad

The file 481af38f33f4dc59c30d304ce466c4f0.exe was found to be: Known bad.

Malicious Activity Summary

bitrat suricata trojan

BitRAT

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-10 10:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-10 10:38

Reported

2022-05-10 10:40

Platform

win7-20220414-en

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe"

Signatures

BitRAT

trojan bitrat

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 848 set thread context of 940 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 848 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 848 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 848 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 848 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 848 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 848 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 848 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 848 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 848 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 848 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 848 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe

"C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe"

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"

Network

Country Destination Domain Proto
BR 132.226.247.73:80 tcp
US 8.8.8.8:53 https.myvnc.com udp
FR 193.104.211.196:9111 https.myvnc.com tcp
US 8.8.8.8:53 https.myvnc.com udp

Files

memory/848-54-0x0000000000890000-0x0000000000EB4000-memory.dmp

memory/848-55-0x00000000005A0000-0x00000000005D0000-memory.dmp

memory/848-56-0x0000000075951000-0x0000000075953000-memory.dmp

memory/848-57-0x00000000004B0000-0x00000000004CA000-memory.dmp

memory/848-58-0x00000000004D0000-0x00000000004D6000-memory.dmp

\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 6a673bfc3b67ae9782cb31af2f234c68
SHA1 7544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA512 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

memory/940-70-0x00000000007B9000-0x00000000007DE000-memory.dmp

memory/940-73-0x000000000068A488-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 6a673bfc3b67ae9782cb31af2f234c68
SHA1 7544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA512 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

memory/940-78-0x00000000007B9000-0x00000000007DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 6a673bfc3b67ae9782cb31af2f234c68
SHA1 7544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA512 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-10 10:38

Reported

2022-05-10 10:40

Platform

win10v2004-20220414-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe"

Signatures

BitRAT

trojan bitrat

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4260 set thread context of 2420 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
PID 4260 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe

"C:\Users\Admin\AppData\Local\Temp\481af38f33f4dc59c30d304ce466c4f0.exe"

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 https.myvnc.com udp
FR 193.104.211.196:9111 https.myvnc.com tcp
NL 104.97.14.81:80 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
IE 20.54.110.249:443 tcp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 https.myvnc.com udp
US 8.8.8.8:53 store-images.s-microsoft.com udp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
US 8.8.8.8:53 tsfe.trafficshaping.dsp.mp.microsoft.com udp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 dl.delivery.mp.microsoft.com udp
BE 67.27.153.126:80 dl.delivery.mp.microsoft.com tcp
BE 67.27.153.126:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 tlu.dl.delivery.mp.microsoft.com udp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
BE 67.27.153.126:80 dl.delivery.mp.microsoft.com tcp
BE 67.27.153.126:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 https.myvnc.com udp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 https.myvnc.com udp

Files

memory/4260-130-0x0000000000ED0000-0x00000000014F4000-memory.dmp

memory/4260-131-0x0000000005EF0000-0x0000000005F8C000-memory.dmp

memory/4260-132-0x0000000006540000-0x0000000006AE4000-memory.dmp

memory/4260-133-0x0000000006CB0000-0x0000000006D42000-memory.dmp

memory/4260-134-0x0000000006CA0000-0x0000000006CAA000-memory.dmp

memory/4260-135-0x000000000A000000-0x000000000A022000-memory.dmp

memory/2420-136-0x0000000000000000-mapping.dmp

memory/2420-137-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 9827ff3cdf4b83f9c86354606736ca9c
SHA1 e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256 c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA512 8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

memory/2420-139-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2420-140-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2420-141-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 9827ff3cdf4b83f9c86354606736ca9c
SHA1 e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256 c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA512 8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579