Malware Analysis Report

2025-01-03 05:13

Sample ID 230129-x6m8caah39
Target b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd
SHA256 b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd
Tags
bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd

Threat Level: Known bad

The file b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd was found to be: Known bad.

Malicious Activity Summary

bitrat trojan

BitRAT

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-29 19:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-29 19:28

Reported

2023-01-29 19:30

Platform

win7-20221111-en

Max time kernel

151s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe"

Signatures

BitRAT

trojan bitrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1976 set thread context of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1976 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1976 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1976 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe

"C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RgKuObYJRjVYK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE86C.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
N/A 185.157.162.234:54262 tcp

Files

memory/1976-54-0x00000000013D0000-0x00000000018D6000-memory.dmp

memory/1976-55-0x0000000076651000-0x0000000076653000-memory.dmp

memory/1976-56-0x0000000000390000-0x000000000039C000-memory.dmp

memory/1976-57-0x0000000005760000-0x0000000005B50000-memory.dmp

memory/524-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE86C.tmp

MD5 d0106f3f67a6264ff65473435d75ed9e
SHA1 ae4bea29090eb81506c25c811df97f5cbdb76ace
SHA256 41aaf1943d75fe36891e8fb1d71798809142d52e42523e694ef7f5bbf9f8626b
SHA512 3c1780b9358751e4bd1a9132ad4cf36e705f929fb1646487c4411b53a174dcd97f983887e1ac405b5421949aef19c5222127bf79d6ec81a5d97b352ffaea44d6

memory/1388-60-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1388-61-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1388-63-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1388-65-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1388-67-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1388-69-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1388-70-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1388-73-0x0000000000689A84-mapping.dmp

memory/1388-72-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1388-75-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1388-77-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1388-78-0x0000000000400000-0x00000000007CD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-29 19:28

Reported

2023-01-29 19:30

Platform

win10v2004-20220812-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe"

Signatures

BitRAT

trojan bitrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1488 set thread context of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1488 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1488 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1488 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1488 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1488 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1488 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1488 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1488 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1488 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1488 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1488 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1488 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1488 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1488 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1488 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1488 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe

"C:\Users\Admin\AppData\Local\Temp\b13c23ba543d6cc3be5193435fa78b265ee98904ea2ad37f7922904cc5092cdd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RgKuObYJRjVYK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A47.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
N/A 52.168.117.170:443 tcp
N/A 8.252.51.254:80 tcp
N/A 8.253.183.120:80 tcp
N/A 104.80.225.205:443 tcp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
N/A 8.8.8.8:53 7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp
N/A 185.157.162.234:54262 tcp
N/A 185.157.162.234:54262 tcp
N/A 8.247.211.254:80 tcp

Files

memory/1488-132-0x0000000000EF0000-0x00000000013F6000-memory.dmp

memory/1488-133-0x0000000005D50000-0x0000000005DEC000-memory.dmp

memory/1488-134-0x0000000006410000-0x00000000069B4000-memory.dmp

memory/1488-135-0x0000000005F00000-0x0000000005F92000-memory.dmp

memory/1488-136-0x0000000005E40000-0x0000000005E4A000-memory.dmp

memory/1488-137-0x00000000060E0000-0x0000000006136000-memory.dmp

memory/4304-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2A47.tmp

MD5 b803451044b4525bfe28c58fa69cc7d4
SHA1 9a91d443dce51d0393dccdda9eb4f9ad9e523e5f
SHA256 f584ed25d24c759b7cbe78a7762717c141bdaf2c07ef0fad5ce8c730ad8dd7e0
SHA512 db56d92e39085dfcb8868413593df07881660e108d817dfd26fc330d68da4586f99927288f2ebbdc49badcdd96f6ffd48e112e7e5a90699291d382ab6e29a375

memory/1496-140-0x0000000000000000-mapping.dmp

memory/1840-141-0x0000000000000000-mapping.dmp

memory/1840-142-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1840-143-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1840-144-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1840-145-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1840-146-0x0000000074970000-0x00000000749A9000-memory.dmp

memory/1840-147-0x0000000074CF0000-0x0000000074D29000-memory.dmp

memory/1840-148-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1840-149-0x0000000074CF0000-0x0000000074D29000-memory.dmp