Malware Analysis Report

2025-01-03 05:11

Sample ID 230214-hw3sqabe75
Target INVOICEXls223.exe
SHA256 08cfe144396f7fc7aaf3a47e86826d439502e4e80e6a9043bcb026ae2f1e845a
Tags
bitrat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08cfe144396f7fc7aaf3a47e86826d439502e4e80e6a9043bcb026ae2f1e845a

Threat Level: Known bad

The file INVOICEXls223.exe was found to be: Known bad.

Malicious Activity Summary

bitrat trojan upx

BitRAT

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-02-14 07:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-14 07:06

Reported

2023-02-14 07:08

Platform

win7-20220812-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe"

Signatures

BitRAT

trojan bitrat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1088 set thread context of 1716 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1088 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1088 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe

"C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 celesperial.ddns.net udp
CA 209.127.19.155:5200 celesperial.ddns.net tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 celesperial.ddns.net udp
US 8.8.8.8:53 celesperial.ddns.net udp

Files

memory/1088-54-0x0000000000BC0000-0x0000000001228000-memory.dmp

memory/1088-55-0x0000000000240000-0x0000000000252000-memory.dmp

memory/1088-56-0x0000000000500000-0x0000000000508000-memory.dmp

memory/1716-57-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1716-58-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1716-60-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1716-61-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1716-62-0x00000000007E2730-mapping.dmp

memory/1716-63-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1716-64-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1716-65-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1716-67-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1716-66-0x0000000074D61000-0x0000000074D63000-memory.dmp

memory/1716-68-0x0000000000110000-0x000000000011A000-memory.dmp

memory/1716-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-14 07:06

Reported

2023-02-14 07:08

Platform

win10v2004-20221111-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe"

Signatures

BitRAT

trojan bitrat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2500 set thread context of 3260 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2500 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2500 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2500 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2500 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2500 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2500 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2500 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2500 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2500 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe

"C:\Users\Admin\AppData\Local\Temp\INVOICEXls223.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 celesperial.ddns.net udp
CA 209.127.19.155:5200 celesperial.ddns.net tcp
CA 209.127.19.155:5200 celesperial.ddns.net tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 20.189.173.12:443 tcp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 celesperial.ddns.net udp
US 8.8.8.8:53 celesperial.ddns.net udp

Files

memory/2500-132-0x0000000000180000-0x00000000007E8000-memory.dmp

memory/748-133-0x0000000000000000-mapping.dmp

memory/3260-134-0x0000000000000000-mapping.dmp

memory/3260-135-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3260-137-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3260-138-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3260-136-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3260-139-0x0000000074F50000-0x0000000074F89000-memory.dmp

memory/3260-140-0x00000000752D0000-0x0000000075309000-memory.dmp

memory/3260-141-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3260-142-0x00000000752D0000-0x0000000075309000-memory.dmp

memory/3260-143-0x0000000074F50000-0x0000000074F89000-memory.dmp

memory/3260-144-0x00000000752D0000-0x0000000075309000-memory.dmp

memory/3260-145-0x00000000752D0000-0x0000000075309000-memory.dmp