Malware Analysis Report

2025-01-03 05:22

Sample ID 230129-1vdrbafg9t
Target 11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12
SHA256 11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12
Tags
bitrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12

Threat Level: Known bad

The file 11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12 was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan

BitRAT

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-29 21:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-29 21:57

Reported

2023-01-29 22:00

Platform

win7-20220812-en

Max time kernel

147s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe"

Signatures

BitRAT

trojan bitrat

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProPlayer = "C:\\Users\\Admin\\AppData\\Roaming\\ProPlayer\\Player.exe.exe" C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1392 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 1392 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 1392 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 1392 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 1392 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 1392 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 1392 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 1392 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 1392 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 1392 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 1392 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 1392 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe

"C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE

"C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE"

Network

Country Destination Domain Proto
N/A 185.157.161.104:65312 tcp
N/A 185.157.161.104:65312 tcp
N/A 185.157.161.104:65312 tcp
N/A 185.157.161.104:65312 tcp
N/A 185.157.161.104:65312 tcp
N/A 185.157.161.104:65312 tcp
N/A 185.157.161.104:65312 tcp
N/A 185.157.161.104:65312 tcp
N/A 185.157.161.104:65312 tcp

Files

memory/1392-56-0x0000000075601000-0x0000000075603000-memory.dmp

memory/1052-58-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1052-59-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1052-63-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1052-61-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1052-65-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1052-68-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1052-67-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1052-73-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1052-74-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1052-71-0x0000000000689A84-mapping.dmp

memory/1052-70-0x0000000000400000-0x00000000007CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QpGDR.jpg

MD5 6bf7995bed6622dc6c2123db53b6b17d
SHA1 4f644ae30a70c94204acaa931d48fc8bb6394ca8
SHA256 04405bd5f7c5868a5f95f286d0b951a888a10062b506959dc3bd149206f7c2f3
SHA512 7ff9f5d181159d127c0459c7347cb255d120abd2e315d9218391e8f0f616438f2c6f750ba84f6ba32c396dc6d631ab1069f5a1d4b0a33b5f2337b1421214a16e

memory/1052-77-0x0000000000400000-0x00000000007CD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-29 21:57

Reported

2023-01-29 22:00

Platform

win10v2004-20221111-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe"

Signatures

BitRAT

trojan bitrat

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProPlayer = "C:\\Users\\Admin\\AppData\\Roaming\\ProPlayer\\Player.exe.exe" C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4732 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 4732 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 4732 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 4732 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 4732 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 4732 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 4732 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 4732 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 4732 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 4732 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE
PID 4732 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe

"C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.exe"

C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE

"C:\Users\Admin\AppData\Local\Temp\11a1756f1a0d950273debd39cbf1f99b515cff9d46b2e78a533bd4100e078a12.EXE"

Network

Country Destination Domain Proto
N/A 185.157.161.104:65312 tcp
N/A 185.157.161.104:65312 tcp
N/A 88.221.25.154:80 tcp
N/A 185.157.161.104:65312 tcp
N/A 104.80.225.205:443 tcp
N/A 52.178.17.3:443 tcp
N/A 185.157.161.104:65312 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 209.197.3.8:80 tcp
N/A 185.157.161.104:65312 tcp
N/A 185.157.161.104:65312 tcp
N/A 185.157.161.104:65312 tcp
N/A 185.157.161.104:65312 tcp
N/A 185.157.161.104:65312 tcp

Files

memory/1432-134-0x0000000000000000-mapping.dmp

memory/1432-135-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1432-137-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1432-136-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1432-138-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1432-139-0x00000000747A0000-0x00000000747D9000-memory.dmp

memory/1432-140-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/1432-141-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/1432-142-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1432-143-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/1432-144-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/1432-145-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/1432-146-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/1432-147-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/1432-148-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/1432-149-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/1432-150-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/1432-151-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/1432-152-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/1432-153-0x0000000074B20000-0x0000000074B59000-memory.dmp

memory/1432-154-0x0000000074B20000-0x0000000074B59000-memory.dmp