Malware Analysis Report

2025-01-03 05:14

Sample ID 221130-wea82abh54
Target 391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab
SHA256 391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab
Tags
vmprotect bitrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab

Threat Level: Known bad

The file 391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab was found to be: Known bad.

Malicious Activity Summary

vmprotect bitrat persistence trojan

BitRAT

VMProtect packed file

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-30 17:49

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-30 17:49

Reported

2022-12-02 17:08

Platform

win7-20221111-en

Max time kernel

180s

Max time network

202s

Command Line

"C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe"

Signatures

BitRAT

trojan bitrat

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\servicemgrdriver = "C:\\Users\\Admin\\AppData\\Local\\driversmgr\\servicemgrdriver.exe" C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe

"C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe"

Network

Country Destination Domain Proto
N/A 178.159.39.203:5552 tcp
N/A 178.159.39.203:5552 tcp
N/A 178.159.39.203:5552 tcp
N/A 178.159.39.203:5552 tcp

Files

memory/1140-54-0x0000000000400000-0x0000000000FD5000-memory.dmp

memory/1140-57-0x0000000000400000-0x0000000000FD5000-memory.dmp

memory/1140-58-0x0000000000400000-0x0000000000FD5000-memory.dmp

memory/1140-59-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-30 17:49

Reported

2022-12-02 17:07

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe"

Signatures

BitRAT

trojan bitrat

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\servicemgrdriver = "C:\\Users\\Admin\\AppData\\Local\\driversmgr\\servicemgrdriver.exe" C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe

"C:\Users\Admin\AppData\Local\Temp\391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab.exe"

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 104.110.191.140:80 tcp
N/A 40.79.150.121:443 tcp
N/A 178.159.39.203:5552 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 178.159.39.203:5552 tcp
N/A 178.159.39.203:5552 tcp
N/A 178.159.39.203:5552 tcp
N/A 8.8.8.8:53 226.101.242.52.in-addr.arpa udp

Files

memory/4976-132-0x0000000000400000-0x0000000000FD5000-memory.dmp

memory/4976-133-0x0000000000400000-0x0000000000FD5000-memory.dmp

memory/4976-136-0x0000000000400000-0x0000000000FD5000-memory.dmp

memory/4976-137-0x0000000074540000-0x0000000074579000-memory.dmp

memory/4976-138-0x0000000074200000-0x0000000074239000-memory.dmp

memory/4976-139-0x0000000074200000-0x0000000074239000-memory.dmp

memory/4976-140-0x0000000074200000-0x0000000074239000-memory.dmp

memory/4976-141-0x0000000074540000-0x0000000074579000-memory.dmp

memory/4976-142-0x0000000074200000-0x0000000074239000-memory.dmp

memory/4976-143-0x0000000074200000-0x0000000074239000-memory.dmp

memory/4976-144-0x0000000074200000-0x0000000074239000-memory.dmp