Malware Analysis Report

2025-01-03 05:21

Sample ID 230117-1bbslsgc94
Target B840k49sjm47_PDF.exe
SHA256 0525ef32bd0fdea85df06fb17d23a31a97ce2f4a9d92a531a2a027ed2cb591e6
Tags
asyncrat bitrat venom clients rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0525ef32bd0fdea85df06fb17d23a31a97ce2f4a9d92a531a2a027ed2cb591e6

Threat Level: Known bad

The file B840k49sjm47_PDF.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat bitrat venom clients rat trojan upx

AsyncRat

BitRAT

Async RAT payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Uses the VBS compiler for execution

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-17 21:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-17 21:28

Reported

2023-01-17 21:31

Platform

win7-20221111-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe"

Signatures

AsyncRat

rat asyncrat

BitRAT

trojan bitrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bitner9090.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bitner9090.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitner9090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitner9090.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1632 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1632 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1632 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1632 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1632 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1632 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1632 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1632 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1632 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Users\Admin\AppData\Local\Temp\bitner9090.exe
PID 1632 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Users\Admin\AppData\Local\Temp\bitner9090.exe
PID 1632 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Users\Admin\AppData\Local\Temp\bitner9090.exe
PID 1632 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Users\Admin\AppData\Local\Temp\bitner9090.exe
PID 1632 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 988 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 988 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 988 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 988 wrote to memory of 740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 968 wrote to memory of 1372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe
PID 968 wrote to memory of 1372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe
PID 968 wrote to memory of 1372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe
PID 968 wrote to memory of 1372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe
PID 1372 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1372 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1372 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1372 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1372 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1372 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1372 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1372 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1372 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 964 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 964 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 964 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 964 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 968 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe
PID 968 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe
PID 968 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe
PID 968 wrote to memory of 1632 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe
PID 1632 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1632 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\bitner9090.exe

"C:\Users\Admin\AppData\Local\Temp\bitner9090.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\dftgr"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe" "C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe'" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {D3DA4089-9295-4D3A-9726-A8820D8CEEFE} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe

C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\dftgr"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe" "C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe'" /f

C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe

C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\dftgr"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe" "C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe'" /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 bitone9090.duckdns.org udp
N/A 8.8.8.8:53 venmo8500.duckdns.org udp
N/A 194.5.98.5:8500 venmo8500.duckdns.org tcp
N/A 154.16.67.29:9090 bitone9090.duckdns.org tcp
N/A 194.5.98.5:8500 venmo8500.duckdns.org tcp
N/A 8.8.8.8:53 bitone9090.duckdns.org udp

Files

memory/1632-54-0x0000000001120000-0x00000000012E6000-memory.dmp

memory/1632-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

memory/1632-56-0x0000000005190000-0x000000000531C000-memory.dmp

memory/320-57-0x0000000000400000-0x0000000000416000-memory.dmp

memory/320-58-0x0000000000400000-0x0000000000416000-memory.dmp

memory/320-60-0x0000000000400000-0x0000000000416000-memory.dmp

memory/320-61-0x0000000000400000-0x0000000000416000-memory.dmp

memory/320-62-0x0000000000400000-0x0000000000416000-memory.dmp

memory/320-63-0x00000000004109EE-mapping.dmp

memory/320-65-0x0000000000400000-0x0000000000416000-memory.dmp

memory/320-67-0x0000000000400000-0x0000000000416000-memory.dmp

\Users\Admin\AppData\Local\Temp\bitner9090.exe

MD5 3910450cfb9c43a37a77b8b7fbd7c3a3
SHA1 1699b1b16cd067fab7dbfa0c9207fa14f49444a8
SHA256 04434a5c67c7d540871edd1b2e989d8c78270fb6317ddab3b392156f322d2d2f
SHA512 2d8e9dc00b17151398467bf8f1947285552770906e08e686eca987ea97b9aa58701b132ae8c0839edd3a1bc94e33c420574fa3e64d1b026a7eaebfee2f66a9e2

\Users\Admin\AppData\Local\Temp\bitner9090.exe

MD5 3910450cfb9c43a37a77b8b7fbd7c3a3
SHA1 1699b1b16cd067fab7dbfa0c9207fa14f49444a8
SHA256 04434a5c67c7d540871edd1b2e989d8c78270fb6317ddab3b392156f322d2d2f
SHA512 2d8e9dc00b17151398467bf8f1947285552770906e08e686eca987ea97b9aa58701b132ae8c0839edd3a1bc94e33c420574fa3e64d1b026a7eaebfee2f66a9e2

memory/1788-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\bitner9090.exe

MD5 3910450cfb9c43a37a77b8b7fbd7c3a3
SHA1 1699b1b16cd067fab7dbfa0c9207fa14f49444a8
SHA256 04434a5c67c7d540871edd1b2e989d8c78270fb6317ddab3b392156f322d2d2f
SHA512 2d8e9dc00b17151398467bf8f1947285552770906e08e686eca987ea97b9aa58701b132ae8c0839edd3a1bc94e33c420574fa3e64d1b026a7eaebfee2f66a9e2

memory/1932-73-0x0000000000000000-mapping.dmp

memory/988-74-0x0000000000000000-mapping.dmp

memory/1680-75-0x0000000000000000-mapping.dmp

memory/740-76-0x0000000000000000-mapping.dmp

memory/1788-77-0x0000000000400000-0x00000000007E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bitner9090.exe

MD5 3910450cfb9c43a37a77b8b7fbd7c3a3
SHA1 1699b1b16cd067fab7dbfa0c9207fa14f49444a8
SHA256 04434a5c67c7d540871edd1b2e989d8c78270fb6317ddab3b392156f322d2d2f
SHA512 2d8e9dc00b17151398467bf8f1947285552770906e08e686eca987ea97b9aa58701b132ae8c0839edd3a1bc94e33c420574fa3e64d1b026a7eaebfee2f66a9e2

memory/1788-80-0x0000000000020000-0x000000000002A000-memory.dmp

memory/1788-81-0x0000000000020000-0x000000000002A000-memory.dmp

C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe

MD5 e14a49db1e766a0d20b4917a16645ab1
SHA1 32a5294a721e1b8fa807f3af71ee7bf81a0c4fae
SHA256 0525ef32bd0fdea85df06fb17d23a31a97ce2f4a9d92a531a2a027ed2cb591e6
SHA512 0eceefc925ac85e9801006b045726e6fde7c57a2d197c6b34092503fe6fd45487fd9c68b727cef898ee734a18d2376b951f413117db5b8a97aeb0a765cc4a2dc

memory/1372-83-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe

MD5 e14a49db1e766a0d20b4917a16645ab1
SHA1 32a5294a721e1b8fa807f3af71ee7bf81a0c4fae
SHA256 0525ef32bd0fdea85df06fb17d23a31a97ce2f4a9d92a531a2a027ed2cb591e6
SHA512 0eceefc925ac85e9801006b045726e6fde7c57a2d197c6b34092503fe6fd45487fd9c68b727cef898ee734a18d2376b951f413117db5b8a97aeb0a765cc4a2dc

memory/1372-85-0x0000000000FF0000-0x00000000011B6000-memory.dmp

memory/320-87-0x0000000000710000-0x000000000071E000-memory.dmp

memory/1788-88-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/320-89-0x0000000000830000-0x0000000000838000-memory.dmp

memory/1788-90-0x0000000000020000-0x000000000002A000-memory.dmp

memory/1788-91-0x0000000000020000-0x000000000002A000-memory.dmp

memory/1652-98-0x00000000004109EE-mapping.dmp

memory/1468-100-0x0000000000000000-mapping.dmp

memory/964-101-0x0000000000000000-mapping.dmp

memory/632-102-0x0000000000000000-mapping.dmp

memory/1108-103-0x0000000000000000-mapping.dmp

memory/1632-104-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe

MD5 e14a49db1e766a0d20b4917a16645ab1
SHA1 32a5294a721e1b8fa807f3af71ee7bf81a0c4fae
SHA256 0525ef32bd0fdea85df06fb17d23a31a97ce2f4a9d92a531a2a027ed2cb591e6
SHA512 0eceefc925ac85e9801006b045726e6fde7c57a2d197c6b34092503fe6fd45487fd9c68b727cef898ee734a18d2376b951f413117db5b8a97aeb0a765cc4a2dc

memory/1844-117-0x00000000004109EE-mapping.dmp

memory/2028-118-0x0000000000000000-mapping.dmp

memory/944-123-0x0000000000000000-mapping.dmp

memory/1516-124-0x0000000000000000-mapping.dmp

memory/2024-125-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-17 21:28

Reported

2023-01-17 21:32

Platform

win10v2004-20220901-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe"

Signatures

AsyncRat

rat asyncrat

BitRAT

trojan bitrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitner9090.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4892 set thread context of 4004 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1100 set thread context of 848 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bitner9090.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitner9090.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitner9090.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4892 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4892 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4892 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4892 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4892 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4892 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4892 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4892 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Users\Admin\AppData\Local\Temp\bitner9090.exe
PID 4892 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Users\Admin\AppData\Local\Temp\bitner9090.exe
PID 4892 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Users\Admin\AppData\Local\Temp\bitner9090.exe
PID 4892 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 3908 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3908 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3908 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1100 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1100 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1100 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1100 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1100 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1100 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1100 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1100 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1100 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4408 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4408 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe

"C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\bitner9090.exe

"C:\Users\Admin\AppData\Local\Temp\bitner9090.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\dftgr"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\B840k49sjm47_PDF.exe" "C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe'" /f

C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe

C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\dftgr"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe" "C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe'" /f

Network

Country Destination Domain Proto
N/A 2.18.109.224:443 tcp
N/A 20.42.73.25:443 tcp
N/A 8.8.8.8:53 venmo8500.duckdns.org udp
N/A 194.5.98.5:8500 venmo8500.duckdns.org tcp
N/A 8.8.8.8:53 bitone9090.duckdns.org udp
N/A 154.16.67.29:9090 bitone9090.duckdns.org tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 93.184.221.240:80 tcp
N/A 194.5.98.5:8500 venmo8500.duckdns.org tcp
N/A 8.8.8.8:53 bitone9090.duckdns.org udp

Files

memory/4892-132-0x0000000000F00000-0x00000000010C6000-memory.dmp

memory/4892-133-0x0000000006100000-0x00000000066A4000-memory.dmp

memory/4892-134-0x0000000005A70000-0x0000000005B02000-memory.dmp

memory/4892-135-0x0000000005BC0000-0x0000000005C26000-memory.dmp

memory/4004-136-0x0000000000000000-mapping.dmp

memory/4004-138-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/1788-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\bitner9090.exe

MD5 3910450cfb9c43a37a77b8b7fbd7c3a3
SHA1 1699b1b16cd067fab7dbfa0c9207fa14f49444a8
SHA256 04434a5c67c7d540871edd1b2e989d8c78270fb6317ddab3b392156f322d2d2f
SHA512 2d8e9dc00b17151398467bf8f1947285552770906e08e686eca987ea97b9aa58701b132ae8c0839edd3a1bc94e33c420574fa3e64d1b026a7eaebfee2f66a9e2

C:\Users\Admin\AppData\Local\Temp\bitner9090.exe

MD5 3910450cfb9c43a37a77b8b7fbd7c3a3
SHA1 1699b1b16cd067fab7dbfa0c9207fa14f49444a8
SHA256 04434a5c67c7d540871edd1b2e989d8c78270fb6317ddab3b392156f322d2d2f
SHA512 2d8e9dc00b17151398467bf8f1947285552770906e08e686eca987ea97b9aa58701b132ae8c0839edd3a1bc94e33c420574fa3e64d1b026a7eaebfee2f66a9e2

memory/628-142-0x0000000000000000-mapping.dmp

memory/3908-143-0x0000000000000000-mapping.dmp

memory/1788-145-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/4280-144-0x0000000000000000-mapping.dmp

memory/3884-146-0x0000000000000000-mapping.dmp

memory/1788-147-0x0000000070850000-0x0000000070889000-memory.dmp

memory/1788-148-0x0000000070910000-0x0000000070949000-memory.dmp

memory/4004-149-0x0000000005680000-0x000000000571C000-memory.dmp

memory/4004-150-0x0000000006700000-0x0000000006776000-memory.dmp

memory/4004-151-0x00000000066C0000-0x00000000066DE000-memory.dmp

memory/1788-152-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/4004-153-0x0000000006BF0000-0x0000000006BFA000-memory.dmp

C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe

MD5 e14a49db1e766a0d20b4917a16645ab1
SHA1 32a5294a721e1b8fa807f3af71ee7bf81a0c4fae
SHA256 0525ef32bd0fdea85df06fb17d23a31a97ce2f4a9d92a531a2a027ed2cb591e6
SHA512 0eceefc925ac85e9801006b045726e6fde7c57a2d197c6b34092503fe6fd45487fd9c68b727cef898ee734a18d2376b951f413117db5b8a97aeb0a765cc4a2dc

C:\Users\Admin\AppData\Roaming\dftgr\dftgr.exe

MD5 e14a49db1e766a0d20b4917a16645ab1
SHA1 32a5294a721e1b8fa807f3af71ee7bf81a0c4fae
SHA256 0525ef32bd0fdea85df06fb17d23a31a97ce2f4a9d92a531a2a027ed2cb591e6
SHA512 0eceefc925ac85e9801006b045726e6fde7c57a2d197c6b34092503fe6fd45487fd9c68b727cef898ee734a18d2376b951f413117db5b8a97aeb0a765cc4a2dc

memory/848-156-0x0000000000000000-mapping.dmp

memory/4544-158-0x0000000000000000-mapping.dmp

memory/4408-159-0x0000000000000000-mapping.dmp

memory/3688-160-0x0000000000000000-mapping.dmp

memory/2128-161-0x0000000000000000-mapping.dmp

memory/1788-162-0x0000000070850000-0x0000000070889000-memory.dmp

memory/1788-163-0x0000000070910000-0x0000000070949000-memory.dmp