Malware Analysis Report

2025-01-03 05:22

Sample ID 230129-x73dnacd3w
Target a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5
SHA256 a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5
Tags
bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5

Threat Level: Known bad

The file a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5 was found to be: Known bad.

Malicious Activity Summary

bitrat trojan

BitRAT

Executes dropped EXE

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-29 19:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-29 19:30

Reported

2023-01-29 19:33

Platform

win7-20220812-en

Max time kernel

151s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe"

Signatures

BitRAT

trojan bitrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe

"C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe"

C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe

"C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe"

Network

Country Destination Domain Proto
N/A 87.78.165.108:25625 tcp
N/A 8.8.8.8:53 cdn-35.anonfiles.com udp
N/A 87.78.165.108:25625 tcp
N/A 87.78.165.108:25625 tcp
N/A 87.78.165.108:25625 tcp

Files

memory/1160-54-0x0000000001010000-0x00000000011FE000-memory.dmp

memory/1160-55-0x0000000000F56000-0x0000000000F75000-memory.dmp

memory/1160-56-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe

MD5 14b0626141c4e627aeb5d13411277d83
SHA1 ec8f50af65560de5a63d1174809ed9cec31191cf
SHA256 d9d78c09e03266f7718b049f360aa7620a75e765811373f7e38e00bc962f9e6e
SHA512 f0beab68df89e93063b1409578d0e086d554a6d505c1e26f0cc5485ddad5e7108006173ad9fa000700a64471439998c3f895acc6f2c8e08418f1bea3ff13a027

memory/1976-57-0x0000000000000000-mapping.dmp

memory/1976-59-0x0000000075A91000-0x0000000075A93000-memory.dmp

memory/1160-60-0x0000000000F56000-0x0000000000F75000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-29 19:30

Reported

2023-01-29 19:33

Platform

win10v2004-20220901-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe"

Signatures

BitRAT

trojan bitrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe

"C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe"

C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe

"C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 cdn-35.anonfiles.com udp
N/A 87.78.165.108:25625 tcp
N/A 104.208.16.90:443 tcp
N/A 87.78.165.108:25625 tcp
N/A 67.26.207.254:80 tcp
N/A 67.26.207.254:80 tcp
N/A 67.26.207.254:80 tcp
N/A 87.78.165.108:25625 tcp
N/A 87.78.165.108:25625 tcp
N/A 87.78.165.108:25625 tcp

Files

memory/4972-132-0x0000000000320000-0x000000000050E000-memory.dmp

memory/4972-133-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

memory/4312-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe

MD5 14b0626141c4e627aeb5d13411277d83
SHA1 ec8f50af65560de5a63d1174809ed9cec31191cf
SHA256 d9d78c09e03266f7718b049f360aa7620a75e765811373f7e38e00bc962f9e6e
SHA512 f0beab68df89e93063b1409578d0e086d554a6d505c1e26f0cc5485ddad5e7108006173ad9fa000700a64471439998c3f895acc6f2c8e08418f1bea3ff13a027

C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe

MD5 14b0626141c4e627aeb5d13411277d83
SHA1 ec8f50af65560de5a63d1174809ed9cec31191cf
SHA256 d9d78c09e03266f7718b049f360aa7620a75e765811373f7e38e00bc962f9e6e
SHA512 f0beab68df89e93063b1409578d0e086d554a6d505c1e26f0cc5485ddad5e7108006173ad9fa000700a64471439998c3f895acc6f2c8e08418f1bea3ff13a027

memory/4972-137-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

memory/4312-138-0x0000000074F80000-0x0000000074FB9000-memory.dmp

memory/4312-139-0x0000000075320000-0x0000000075359000-memory.dmp

memory/4312-140-0x0000000075320000-0x0000000075359000-memory.dmp

memory/4312-141-0x0000000075320000-0x0000000075359000-memory.dmp

memory/4312-142-0x0000000074F80000-0x0000000074FB9000-memory.dmp

memory/4312-143-0x0000000075320000-0x0000000075359000-memory.dmp

memory/4312-144-0x0000000075320000-0x0000000075359000-memory.dmp

memory/4312-145-0x0000000075320000-0x0000000075359000-memory.dmp

memory/4312-146-0x0000000075320000-0x0000000075359000-memory.dmp

memory/4312-147-0x0000000075320000-0x0000000075359000-memory.dmp