Malware Analysis Report

2025-01-03 05:10

Sample ID 230720-kr5smaef81
Target megusz.exe
SHA256 8dd536083c6ed59bc8a88d3df2eef87142a69c48fb4e6594ac606aaafd5c7594
Tags
upx bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8dd536083c6ed59bc8a88d3df2eef87142a69c48fb4e6594ac606aaafd5c7594

Threat Level: Known bad

The file megusz.exe was found to be: Known bad.

Malicious Activity Summary

upx bitrat trojan

Bitrat family

BitRAT

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-07-20 08:51

Signatures

Bitrat family

bitrat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-20 08:51

Reported

2023-07-20 08:53

Platform

win7-20230712-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\megusz.exe"

Signatures

BitRAT

trojan bitrat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\megusz.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\megusz.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\megusz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\megusz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\megusz.exe

"C:\Users\Admin\AppData\Local\Temp\megusz.exe"

Network

Country Destination Domain Proto
NL 208.67.104.96:1234 tcp

Files

memory/2304-54-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2304-55-0x0000000000330000-0x000000000033A000-memory.dmp

memory/2304-56-0x0000000000330000-0x000000000033A000-memory.dmp

memory/2304-57-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2304-59-0x0000000000330000-0x000000000033A000-memory.dmp

memory/2304-60-0x0000000000330000-0x000000000033A000-memory.dmp

memory/2304-61-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2304-62-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2304-63-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2304-64-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2304-65-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2304-66-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2304-67-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2304-68-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2304-69-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2304-70-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2304-71-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2304-72-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/2304-73-0x0000000000400000-0x00000000007E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-20 08:51

Reported

2023-07-20 08:54

Platform

win10v2004-20230703-en

Max time kernel

173s

Max time network

185s

Command Line

"C:\Users\Admin\AppData\Local\Temp\megusz.exe"

Signatures

BitRAT

trojan bitrat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\megusz.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\megusz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\megusz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\megusz.exe

"C:\Users\Admin\AppData\Local\Temp\megusz.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 208.67.104.96:1234 tcp
US 8.8.8.8:53 96.104.67.208.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp

Files

memory/3636-133-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3636-134-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3636-135-0x0000000074FA0000-0x0000000074FD9000-memory.dmp

memory/3636-136-0x0000000075320000-0x0000000075359000-memory.dmp

memory/3636-137-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3636-138-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3636-139-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3636-140-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3636-141-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3636-142-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3636-143-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3636-144-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3636-145-0x0000000074FA0000-0x0000000074FD9000-memory.dmp

memory/3636-146-0x0000000075320000-0x0000000075359000-memory.dmp

memory/3636-147-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3636-148-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3636-149-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3636-150-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/3636-151-0x0000000000400000-0x00000000007E4000-memory.dmp