Analysis Overview
SHA256
246963e6022a7ba9276b0ba3645350224eabe9430cfe175110e6ca555dd1f9e6
Threat Level: Known bad
The file 246963e6022a7ba9276b0ba3645350224eabe9430cfe175110e6ca555dd1f9e6 was found to be: Known bad.
Malicious Activity Summary
BitRAT
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-29 19:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-29 19:36
Reported
2023-01-29 19:39
Platform
win7-20220812-en
Max time kernel
149s
Max time network
48s
Command Line
Signatures
BitRAT
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1632 set thread context of 1008 | N/A | C:\Users\Admin\AppData\Local\Temp\246963e6022a7ba9276b0ba3645350224eabe9430cfe175110e6ca555dd1f9e6.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\246963e6022a7ba9276b0ba3645350224eabe9430cfe175110e6ca555dd1f9e6.exe
"C:\Users\Admin\AppData\Local\Temp\246963e6022a7ba9276b0ba3645350224eabe9430cfe175110e6ca555dd1f9e6.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gsoFVSJztCV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"{path}"
Network
Files
memory/1632-54-0x0000000076091000-0x0000000076093000-memory.dmp
memory/1632-55-0x00000000744B0000-0x0000000074A5B000-memory.dmp
memory/1632-56-0x00000000744B0000-0x0000000074A5B000-memory.dmp
memory/1732-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp19C9.tmp
| MD5 | 3a449379ff20b817567c410786c56225 |
| SHA1 | 7c95dba22d10a0377bba2ec20817f4771a2a50ba |
| SHA256 | aefbdaa7036ef73313306caf6b8e33353f664882702cba8316a559b79bcf00d6 |
| SHA512 | c73bda4716ad5409aa7e894f9fbbd287dfbaa24d6c7eb9487529ef1d2fed81dfa00afe1dd9926afb7902d90a8265a32a434216402ec1e80de6165fff3f43d189 |
memory/1008-59-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1008-60-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1008-62-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1008-64-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1008-66-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1008-68-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1008-69-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1008-71-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1008-72-0x0000000000689A84-mapping.dmp
memory/1632-74-0x00000000744B0000-0x0000000074A5B000-memory.dmp
memory/1008-75-0x0000000000400000-0x00000000007CD000-memory.dmp
memory/1008-77-0x0000000000400000-0x00000000007CD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-29 19:36
Reported
2023-01-29 19:39
Platform
win10v2004-20221111-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\246963e6022a7ba9276b0ba3645350224eabe9430cfe175110e6ca555dd1f9e6.exe
"C:\Users\Admin\AppData\Local\Temp\246963e6022a7ba9276b0ba3645350224eabe9430cfe175110e6ca555dd1f9e6.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 52.152.110.14:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 52.152.110.14:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 52.152.110.14:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
memory/2700-132-0x0000000074D50000-0x0000000075301000-memory.dmp
memory/2700-133-0x0000000074D50000-0x0000000075301000-memory.dmp