Malware Analysis Report

2025-01-03 05:09

Sample ID 230909-geeh5ahe77
Target Stub.exe
SHA256 73971baad302c2025a9cede6800b2e811600b17ded2f7ef4782a83bfdc687b9b
Tags
bitrat xenarmor collection password recovery spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73971baad302c2025a9cede6800b2e811600b17ded2f7ef4782a83bfdc687b9b

Threat Level: Known bad

The file Stub.exe was found to be: Known bad.

Malicious Activity Summary

bitrat xenarmor collection password recovery spyware stealer trojan upx

Bitrat family

BitRAT

XenArmor Suite

ACProtect 1.3x - 1.4x DLL software

Reads user/profile data of local email clients

Reads local data of messenger clients

Reads data files stored by FTP clients

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-09 05:42

Signatures

Bitrat family

bitrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-09 05:42

Reported

2023-09-09 05:45

Platform

win7-20230831-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Stub.exe"

Signatures

BitRAT

trojan bitrat

XenArmor Suite

recovery password xenarmor

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1720 set thread context of 3028 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 3028 set thread context of 576 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 1720 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 1720 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 1720 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 1720 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 1720 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 1720 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 1720 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 3028 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 3028 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 3028 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 3028 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 3028 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 3028 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 3028 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe
PID 3028 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe C:\Users\Admin\AppData\Local\Temp\Stub.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Stub.exe

"C:\Users\Admin\AppData\Local\Temp\Stub.exe"

C:\Users\Admin\AppData\Local\Temp\Stub.exe

-a "C:\Users\Admin\AppData\Local\d5b5fbb4\plg\6xVvPiUv.json"

C:\Users\Admin\AppData\Local\Temp\Stub.exe

-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 moonli.ddnsking.com udp
BG 193.42.32.25:1234 moonli.ddnsking.com tcp
BG 193.42.32.25:1234 moonli.ddnsking.com tcp
US 8.8.8.8:53 www.xenarmor.com udp
US 69.64.94.128:80 www.xenarmor.com tcp
BG 193.42.32.25:1234 moonli.ddnsking.com tcp
US 8.8.8.8:53 moonli.ddnsking.com udp
US 8.8.8.8:53 moonli.ddnsking.com udp

Files

memory/1720-0-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1720-1-0x00000000003C0000-0x00000000003CA000-memory.dmp

memory/1720-2-0x00000000003C0000-0x00000000003CA000-memory.dmp

memory/1720-3-0x00000000003C0000-0x00000000003CA000-memory.dmp

memory/1720-4-0x00000000003C0000-0x00000000003CA000-memory.dmp

memory/3028-7-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/3028-9-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/3028-11-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/3028-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3028-15-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/3028-17-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/3028-19-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/3028-20-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/576-44-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/576-46-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/576-48-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/576-52-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/576-53-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/576-54-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/576-56-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/576-55-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/576-57-0x0000000000400000-0x00000000006FE000-memory.dmp

\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

C:\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

memory/576-61-0x0000000010000000-0x0000000010227000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 4f3bde9212e17ef18226866d6ac739b6
SHA1 732733bec8314beb81437e60876ffa75e72ae6cd
SHA256 212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174
SHA512 10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

memory/576-70-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/3028-71-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/576-73-0x0000000010000000-0x0000000010227000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 bf5da170f7c9a8eae88d1cb1a191ff80
SHA1 dd1b991a1b03587a5d1edc94e919a2070e325610
SHA256 e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd
SHA512 9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

C:\Users\Admin\AppData\Local\Temp\unk.xml

MD5 67efe59fbf8aaf3e8de7d67dab21c2a7
SHA1 0869d3ea3b16639ed4a0803acea1c476e199b16c
SHA256 63ca5c5c3cf4be4765115926225c060d89ef54d6f6fc3ec284cb3ecb398b0cb1
SHA512 75f162ff2cc23dd7df018109264f157727fdecc869e3f493e4d0bed26b4429ab00fc9724a5ea420488ba1b4b102a07992357c0d3567c7acea6dd5333cd8cebbb

memory/3028-98-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Local\d5b5fbb4\plg\6xVvPiUv.json

MD5 67efe59fbf8aaf3e8de7d67dab21c2a7
SHA1 0869d3ea3b16639ed4a0803acea1c476e199b16c
SHA256 63ca5c5c3cf4be4765115926225c060d89ef54d6f6fc3ec284cb3ecb398b0cb1
SHA512 75f162ff2cc23dd7df018109264f157727fdecc869e3f493e4d0bed26b4429ab00fc9724a5ea420488ba1b4b102a07992357c0d3567c7acea6dd5333cd8cebbb

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-09 05:42

Reported

2023-09-09 05:45

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Stub.exe"

Signatures

BitRAT

trojan bitrat

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Stub.exe

"C:\Users\Admin\AppData\Local\Temp\Stub.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 moonli.ddnsking.com udp
BG 193.42.32.25:1234 moonli.ddnsking.com tcp
US 8.8.8.8:53 25.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/556-0-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/556-1-0x00000000748E0000-0x0000000074919000-memory.dmp

memory/556-2-0x0000000074C80000-0x0000000074CB9000-memory.dmp

memory/556-3-0x00000000748E0000-0x0000000074919000-memory.dmp

memory/556-4-0x0000000074C80000-0x0000000074CB9000-memory.dmp