Malware Analysis Report

2025-01-03 05:14

Sample ID 221205-h9ja8scf91
Target 04d43d6b0a1277e7d1e93415f1aa6a1e.exe
SHA256 76f4028be569b642d396b8e8936779493280aabcc3329f9058c19e78936c113e
Tags
pyinstaller bitrat evasion persistence themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76f4028be569b642d396b8e8936779493280aabcc3329f9058c19e78936c113e

Threat Level: Known bad

The file 04d43d6b0a1277e7d1e93415f1aa6a1e.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller bitrat evasion persistence themida trojan

BitRAT

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Themida packer

Loads dropped DLL

Checks BIOS information in registry

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Detects Pyinstaller

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-05 07:26

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-05 07:26

Reported

2022-12-05 07:28

Platform

win7-20220901-en

Max time kernel

45s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04d43d6b0a1277e7d1e93415f1aa6a1e.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\04d43d6b0a1277e7d1e93415f1aa6a1e.exe

"C:\Users\Admin\AppData\Local\Temp\04d43d6b0a1277e7d1e93415f1aa6a1e.exe"

C:\Users\Admin\AppData\Local\Temp\04d43d6b0a1277e7d1e93415f1aa6a1e.exe

"C:\Users\Admin\AppData\Local\Temp\04d43d6b0a1277e7d1e93415f1aa6a1e.exe"

Network

N/A

Files

memory/1068-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI12002\python310.dll

MD5 342ba224fe440b585db4e9d2fc9f86cd
SHA1 bfa3d380231166f7c2603ca89a984a5cad9752ab
SHA256 cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432
SHA512 daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

\Users\Admin\AppData\Local\Temp\_MEI12002\python310.dll

MD5 342ba224fe440b585db4e9d2fc9f86cd
SHA1 bfa3d380231166f7c2603ca89a984a5cad9752ab
SHA256 cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432
SHA512 daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-05 07:26

Reported

2022-12-05 07:29

Platform

win10v2004-20221111-en

Max time kernel

189s

Max time network

189s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04d43d6b0a1277e7d1e93415f1aa6a1e.exe"

Signatures

BitRAT

trojan bitrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\INST.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\INST.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\INST.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\INST.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ROCKEEETS = "C:\\Users\\Admin\\AppData\\Local\\%APPDATA%\\ROCKEEETS䄀" C:\Users\Admin\AppData\Local\Temp\INST.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ROCKEEETS = "C:\\Users\\Admin\\AppData\\Local\\%APPDATA%\\ROCKEEETS䜀" C:\Users\Admin\AppData\Local\Temp\INST.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ROCKEEETS = "C:\\Users\\Admin\\AppData\\Local\\%APPDATA%\\ROCKEEETSȀ" C:\Users\Admin\AppData\Local\Temp\INST.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ROCKEEETS = "C:\\Users\\Admin\\AppData\\Local\\%APPDATA%\\ROCKEEETS餀" C:\Users\Admin\AppData\Local\Temp\INST.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ROCKEEETS = "C:\\Users\\Admin\\AppData\\Local\\%APPDATA%\\ROCKEEETS" C:\Users\Admin\AppData\Local\Temp\INST.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\INST.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\INST.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\INST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\INST.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\04d43d6b0a1277e7d1e93415f1aa6a1e.exe

"C:\Users\Admin\AppData\Local\Temp\04d43d6b0a1277e7d1e93415f1aa6a1e.exe"

C:\Users\Admin\AppData\Local\Temp\04d43d6b0a1277e7d1e93415f1aa6a1e.exe

"C:\Users\Admin\AppData\Local\Temp\04d43d6b0a1277e7d1e93415f1aa6a1e.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c echo %temp%

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe

C:\Users\Admin\AppData\Local\Temp\INST.exe

C:\Users\Admin\AppData\Local\Temp\INST.exe

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 88.221.25.154:80 tcp
N/A 88.221.25.154:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.248.7.254:80 tcp
N/A 20.50.73.9:443 tcp
N/A 8.248.7.254:80 tcp
N/A 8.248.7.254:80 tcp
N/A 8.248.7.254:80 tcp
N/A 79.137.206.203:7777 tcp
N/A 52.152.108.96:443 tcp
N/A 8.248.7.254:80 tcp
N/A 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
N/A 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
N/A 8.238.20.126:80 tcp

Files

memory/4868-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI15162\python310.dll

MD5 342ba224fe440b585db4e9d2fc9f86cd
SHA1 bfa3d380231166f7c2603ca89a984a5cad9752ab
SHA256 cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432
SHA512 daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

C:\Users\Admin\AppData\Local\Temp\_MEI15162\python310.dll

MD5 342ba224fe440b585db4e9d2fc9f86cd
SHA1 bfa3d380231166f7c2603ca89a984a5cad9752ab
SHA256 cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432
SHA512 daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

C:\Users\Admin\AppData\Local\Temp\_MEI15162\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\_MEI15162\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\_MEI15162\base_library.zip

MD5 9a712ff5a82ab516664ee4449d7a8c69
SHA1 3600b3ef4368955e686e76e674f6f6a86769b654
SHA256 63e2585e157512983764fc113b4ce214834f60cce9f0b97167f85ad1e28e0fc0
SHA512 3c9460c3ae84348d3bd7f3f14482e3b27b38d016c9c476688cf1f5454d90244d73d412703758eaecfd8c87d561e2fa556505d7179ce11b5ee55b191d5740f9da

memory/2040-138-0x0000000000000000-mapping.dmp

memory/1076-139-0x0000000000000000-mapping.dmp

memory/3660-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\INST.exe

MD5 c9acdffcc9f0b3e090c3d0db43d94b72
SHA1 fc2a610949cc0c95d57da32015bf91a60dbfae6c
SHA256 7f331d1087613c8fc17e827c391f18c93532ab3f98d5cf99321c14e53bb15859
SHA512 e1bba90fee8a191167ae9825cb1c458fb891deadabd2fa1d0f9a8a1d422fd902bb7ba88b7ae3748be8f16f71cc0dbbd1d09ed7180ffcbdd5e4781be6ad8ec891

C:\Users\Admin\AppData\Local\Temp\INST.exe

MD5 c9acdffcc9f0b3e090c3d0db43d94b72
SHA1 fc2a610949cc0c95d57da32015bf91a60dbfae6c
SHA256 7f331d1087613c8fc17e827c391f18c93532ab3f98d5cf99321c14e53bb15859
SHA512 e1bba90fee8a191167ae9825cb1c458fb891deadabd2fa1d0f9a8a1d422fd902bb7ba88b7ae3748be8f16f71cc0dbbd1d09ed7180ffcbdd5e4781be6ad8ec891

memory/3660-143-0x00000000004A0000-0x0000000000F55000-memory.dmp

memory/3660-144-0x00000000004A0000-0x0000000000F55000-memory.dmp

memory/3660-145-0x00000000004A0000-0x0000000000F55000-memory.dmp

memory/3660-146-0x00000000004A0000-0x0000000000F55000-memory.dmp

memory/3660-147-0x0000000076E60000-0x0000000077003000-memory.dmp

memory/3660-148-0x00000000004A0000-0x0000000000F55000-memory.dmp

memory/3660-149-0x00000000004A0000-0x0000000000F55000-memory.dmp

memory/3660-150-0x00000000004A0000-0x0000000000F55000-memory.dmp

memory/3660-151-0x00000000004A0000-0x0000000000F55000-memory.dmp

memory/3660-152-0x0000000074230000-0x0000000074269000-memory.dmp

memory/3660-153-0x0000000073EF0000-0x0000000073F29000-memory.dmp

memory/3660-154-0x00000000004A0000-0x0000000000F55000-memory.dmp

memory/3660-155-0x0000000076E60000-0x0000000077003000-memory.dmp

memory/3660-156-0x0000000074230000-0x0000000074269000-memory.dmp