Malware Analysis Report

2025-01-03 05:10

Sample ID 230701-xvxmmsae9v
Target a47434b53be19aa80e4529da0ac4e528.exe
SHA256 5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b
Tags
bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b

Threat Level: Known bad

The file a47434b53be19aa80e4529da0ac4e528.exe was found to be: Known bad.

Malicious Activity Summary

bitrat trojan

BitRAT

Drops startup file

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-07-01 19:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-01 19:11

Reported

2023-07-01 19:13

Platform

win7-20230621-en

Max time kernel

28s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe

"C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe"

Network

N/A

Files

memory/612-54-0x0000000000D10000-0x00000000011F2000-memory.dmp

memory/612-55-0x0000000004DD0000-0x0000000005050000-memory.dmp

memory/612-57-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-56-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-59-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-61-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-63-0x0000000004D90000-0x0000000004DD0000-memory.dmp

memory/612-64-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-66-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-68-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-70-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-72-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-74-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-76-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-78-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-80-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-82-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-84-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-86-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-88-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-90-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-92-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-94-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-96-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-98-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-100-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-102-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-104-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-106-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-108-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-110-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-112-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-114-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-116-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-118-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-120-0x0000000004DD0000-0x000000000504A000-memory.dmp

memory/612-1101-0x00000000054C0000-0x00000000056B6000-memory.dmp

memory/612-1102-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/612-1103-0x0000000004A80000-0x0000000004ACC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-01 19:11

Reported

2023-07-01 19:13

Platform

win10v2004-20230621-en

Max time kernel

150s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe"

Signatures

BitRAT

trojan bitrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Babryua.vbs C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4960 set thread context of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe

"C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe"

C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe

C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe purecrypter.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 52.182.143.210:443 tcp

Files

memory/4960-133-0x0000000000C60000-0x0000000001142000-memory.dmp

memory/4960-134-0x0000000005CF0000-0x0000000005D00000-memory.dmp

memory/4960-135-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-136-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-138-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-140-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-142-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-144-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-146-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-148-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-150-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-152-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-154-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-156-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-158-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-160-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-162-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-164-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-166-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-168-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-170-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-172-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-174-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-176-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-178-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-180-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-182-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-184-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-186-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-188-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-190-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-192-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-194-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-196-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-198-0x0000000005D00000-0x0000000005F7A000-memory.dmp

memory/4960-471-0x0000000005CF0000-0x0000000005D00000-memory.dmp

memory/4960-1180-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

memory/4960-1181-0x0000000007A60000-0x0000000008004000-memory.dmp

memory/4948-1188-0x0000000000400000-0x00000000007CE000-memory.dmp