Malware Analysis Report

2025-01-03 05:12

Sample ID 230129-y8b4jade7y
Target de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2
SHA256 de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2
Tags
bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2

Threat Level: Known bad

The file de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2 was found to be: Known bad.

Malicious Activity Summary

bitrat trojan

BitRAT

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-29 20:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-29 20:26

Reported

2023-01-29 20:29

Platform

win7-20221111-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe"

Signatures

BitRAT

trojan bitrat

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 772 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Windows\SysWOW64\schtasks.exe
PID 772 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Windows\SysWOW64\schtasks.exe
PID 772 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Windows\SysWOW64\schtasks.exe
PID 772 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Windows\SysWOW64\schtasks.exe
PID 772 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

"C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EExmhb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A8C.tmp"

C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

"C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe"

Network

Country Destination Domain Proto
N/A 193.239.147.77:6505 tcp

Files

memory/772-54-0x0000000000F60000-0x0000000001428000-memory.dmp

memory/772-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

memory/772-56-0x0000000009470000-0x000000000947A000-memory.dmp

memory/772-57-0x000000000F300000-0x000000000F6F0000-memory.dmp

memory/1748-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9A8C.tmp

MD5 0aad263df4e5f31d7c60a49fc87a9241
SHA1 a7e1ff528ccf2bebb1a408ae03edff7f4a1421b3
SHA256 d762ba7da1b1526085f23099d44b11ca82a1568de1966d8237caa71d93a9c2db
SHA512 8e88caef29efedd916013367eb16e60cdd01c4379e0e4e451456c7299d23519cee2d54a44e3b33f9e0271bd3295c8c856d66f16cd631de7e8c0a773c425a9921

memory/1776-60-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1776-61-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1776-63-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1776-65-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1776-67-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1776-69-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1776-70-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1776-72-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1776-73-0x0000000000689A84-mapping.dmp

memory/1776-75-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1776-77-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1776-78-0x0000000000400000-0x00000000007CD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-29 20:26

Reported

2023-01-29 20:29

Platform

win10v2004-20221111-en

Max time kernel

144s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe"

Signatures

BitRAT

trojan bitrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4868 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Windows\SysWOW64\schtasks.exe
PID 4868 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Windows\SysWOW64\schtasks.exe
PID 4868 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Windows\SysWOW64\schtasks.exe
PID 4868 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

"C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EExmhb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4467.tmp"

C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

"C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe"

Network

Country Destination Domain Proto
N/A 20.42.73.26:443 tcp
N/A 8.238.111.126:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
N/A 8.238.111.126:80 tcp
N/A 8.238.111.126:80 tcp
N/A 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
N/A 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp
N/A 193.239.147.77:6505 tcp

Files

memory/4868-132-0x00000000000F0000-0x00000000005B8000-memory.dmp

memory/4868-133-0x0000000004F40000-0x0000000004FDC000-memory.dmp

memory/4868-134-0x00000000055A0000-0x0000000005B44000-memory.dmp

memory/4868-135-0x0000000005090000-0x0000000005122000-memory.dmp

memory/4868-136-0x0000000005050000-0x000000000505A000-memory.dmp

memory/4868-137-0x0000000005BB0000-0x0000000005C06000-memory.dmp

memory/2276-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4467.tmp

MD5 ba365bb9d5c48e32aa3d299d7697c61b
SHA1 f878dc206df5806c7c69360da6e92a2a666d714d
SHA256 6fc9042925a801b824230dea1cce8868a11babf7d1af83f52ea3a28b6f60e117
SHA512 8bf872d8fd6e3f34c38723cba137ed080a5803564a95cc24c8fce4540fe5ae27c032cd065ef5e4c7152e51ba5df9eef6d8ee84c5cd0f6bb66bdd75eb39e1b131

memory/1696-140-0x0000000000000000-mapping.dmp

memory/1696-141-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1696-142-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1696-143-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1696-144-0x0000000000400000-0x00000000007CD000-memory.dmp

memory/1696-145-0x0000000074A40000-0x0000000074A79000-memory.dmp

memory/1696-146-0x0000000074DC0000-0x0000000074DF9000-memory.dmp

memory/1696-147-0x0000000000400000-0x00000000007CD000-memory.dmp