Malware Analysis Report

2025-01-03 05:10

Sample ID 230620-dl7ayahf39
Target c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e
SHA256 c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e
Tags
bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e

Threat Level: Known bad

The file c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e was found to be: Known bad.

Malicious Activity Summary

bitrat trojan

BitRAT

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-06-20 03:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-20 03:06

Reported

2023-06-20 03:09

Platform

win10v2004-20230220-en

Max time kernel

96s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe

"C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4152 -ip 4152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 80

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 177.17.30.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-20 03:06

Reported

2023-06-20 03:09

Platform

win7-20230220-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe"

Signatures

BitRAT

trojan bitrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1524 set thread context of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1524 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe

"C:\Users\Admin\AppData\Local\Temp\c08717041abe9ab94e3923f4e08a09583ab195ac3d460642b18568362c32a71e.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 aaaxxx60.hopto.org udp
US 47.87.136.103:400 aaaxxx60.hopto.org tcp
US 8.8.8.8:53 aaaxxx60.hopto.org udp
US 8.8.8.8:53 aaaxxx60.hopto.org udp

Files

memory/1624-56-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-57-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-58-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-59-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-60-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-61-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1624-62-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-64-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-66-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-67-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-68-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-69-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-71-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-73-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-74-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-75-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-76-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-77-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-78-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-79-0x0000000000290000-0x000000000029A000-memory.dmp

memory/1624-80-0x0000000000290000-0x000000000029A000-memory.dmp

memory/1624-81-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-83-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-84-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-87-0x0000000000290000-0x000000000029A000-memory.dmp

memory/1624-88-0x0000000000290000-0x000000000029A000-memory.dmp

memory/1624-89-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-91-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-95-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-97-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-101-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-103-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-107-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-110-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-113-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-117-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-119-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1624-123-0x0000000000400000-0x00000000007CE000-memory.dmp