Malware Analysis Report

2025-01-03 05:14

Sample ID 221130-q9mmnaac6s
Target f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592
SHA256 f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592
Tags
bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592

Threat Level: Known bad

The file f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592 was found to be: Known bad.

Malicious Activity Summary

bitrat trojan

BitRAT

Checks computer location settings

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-30 13:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-30 13:57

Reported

2022-12-02 12:12

Platform

win7-20221111-en

Max time kernel

152s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe"

Signatures

BitRAT

trojan bitrat

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2044 set thread context of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\SysWOW64\schtasks.exe
PID 2044 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\SysWOW64\schtasks.exe
PID 2044 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\SysWOW64\schtasks.exe
PID 2044 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\SysWOW64\schtasks.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2044 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe

"C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Ftkltg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2FD8.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

N/A

Files

memory/2044-54-0x0000000000900000-0x0000000000E7A000-memory.dmp

memory/2044-55-0x00000000767F1000-0x00000000767F3000-memory.dmp

memory/2044-56-0x0000000000240000-0x000000000024A000-memory.dmp

memory/2044-57-0x0000000006FF0000-0x00000000073E0000-memory.dmp

memory/320-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2FD8.tmp

MD5 133ea7bd3d4bb479358360bce99df3a5
SHA1 415818261802722953740618517a8b00387dbd19
SHA256 0df74ea21c99a09ecd35f227fc7530d1c224c524a19db7df82dcea8331f53625
SHA512 14334898a541655ac904f6f8b79c8ea4d1492da08b2cc5173b8c6d5aba1b990a504e4959be25688f7dd841d457ba632fb06113899b5afc38d81692bbb1b8b07a

memory/1864-60-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1864-61-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1864-63-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1864-65-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1864-67-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1864-69-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1864-70-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1864-72-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1864-73-0x0000000000689A84-mapping.dmp

memory/1864-75-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1864-77-0x0000000000400000-0x00000000007CD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-30 13:57

Reported

2022-12-02 12:12

Platform

win10v2004-20220812-en

Max time kernel

153s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe"

Signatures

BitRAT

trojan bitrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1584 set thread context of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1584 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1584 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe

"C:\Users\Admin\AppData\Local\Temp\f4c06b5a5e05514eae99a568da52d486cec115eceeff1b814217e60b845c0592.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Ftkltg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp81AE.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
N/A 8.247.211.126:80 tcp
N/A 52.242.97.97:443 tcp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
N/A 209.197.3.8:80 tcp
N/A 8.247.211.126:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 20.54.89.106:443 tcp
N/A 209.197.3.8:80 tcp
N/A 104.46.162.224:443 tcp
N/A 93.184.220.29:80 tcp
N/A 104.80.225.205:443 tcp
N/A 93.184.220.29:80 tcp
N/A 185.157.162.234:54262 tcp

Files

memory/1584-132-0x00000000003D0000-0x000000000094A000-memory.dmp

memory/1584-133-0x00000000052F0000-0x000000000538C000-memory.dmp

memory/1584-134-0x0000000005940000-0x0000000005EE4000-memory.dmp

memory/1584-135-0x0000000005430000-0x00000000054C2000-memory.dmp

memory/1584-136-0x00000000053A0000-0x00000000053AA000-memory.dmp

memory/1584-137-0x00000000054D0000-0x0000000005526000-memory.dmp

memory/3052-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp81AE.tmp

MD5 1fa7082d654ed1d84c148889acfe3b06
SHA1 8f08d7e161bac7c6f33612b1b8bb380528fddb43
SHA256 a50871c244d1c562c46f0fab0eb3fdd7ca5141436c78c3625511704cee427a54
SHA512 40efa00c629e80c5ddcb58dc6f408237fe0848ca000994e9920f003ae2e3f3d6020d5f4f498b3bf97c5aead5679e6b7f89a748d1325a4c9813953e04e958ffcf

memory/844-140-0x0000000000000000-mapping.dmp

memory/2036-141-0x0000000000000000-mapping.dmp

memory/1976-142-0x0000000000000000-mapping.dmp

memory/1976-143-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1976-144-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1976-145-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1976-146-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1976-147-0x00000000749C0000-0x00000000749F9000-memory.dmp

memory/1976-148-0x0000000074D60000-0x0000000074D99000-memory.dmp

memory/1976-149-0x0000000000400000-0x00000000007CD000-memory.dmp