Malware Analysis Report

2025-01-03 05:36

Sample ID 230918-wz6wfabf8z
Target SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
Tags
bitrat xenarmor password recovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943

Threat Level: Known bad

The file SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe was found to be: Known bad.

Malicious Activity Summary

bitrat xenarmor password recovery trojan upx

BitRAT

XenArmor Suite

UPX packed file

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-18 18:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-18 18:22

Reported

2023-09-18 18:25

Platform

win7-20230831-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe"

Signatures

BitRAT

trojan bitrat

XenArmor Suite

recovery password xenarmor

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2244 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2548 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 2548 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 2548 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 2548 wrote to memory of 3056 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 3056 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 3056 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 3056 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 3056 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 3056 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 3056 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 3056 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 3056 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 3056 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 3056 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 3056 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 3056 wrote to memory of 324 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Users\Admin\AppData\Roaming\hope\hope.exe
PID 3056 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 320 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1236 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1236 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1236 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2284 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2284 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2284 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 2284 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\hope"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe" "C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {21A0D066-66F3-47D7-B33F-38E972587C64} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\hope\hope.exe

C:\Users\Admin\AppData\Roaming\hope\hope.exe

C:\Users\Admin\AppData\Roaming\hope\hope.exe

"C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\hope"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hope\hope.exe" "C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe

-a "C:\Users\Admin\AppData\Local\f9be9104\plg\YOjGfKjW.json"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe

-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"

C:\Users\Admin\AppData\Roaming\hope\hope.exe

C:\Users\Admin\AppData\Roaming\hope\hope.exe

C:\Users\Admin\AppData\Roaming\hope\hope.exe

"C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hope\hope.exe" "C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\hope"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Users\Admin\AppData\Roaming\hope\hope.exe

C:\Users\Admin\AppData\Roaming\hope\hope.exe

C:\Users\Admin\AppData\Roaming\hope\hope.exe

"C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\hope"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hope\hope.exe" "C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

Network

Country Destination Domain Proto
NL 185.225.75.68:3569 tcp
NL 185.225.75.68:3569 tcp
NL 185.225.75.68:3569 tcp

Files

memory/2244-0-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2244-1-0x0000000000B00000-0x0000000001294000-memory.dmp

memory/2244-2-0x0000000000420000-0x0000000000460000-memory.dmp

memory/2244-3-0x0000000005420000-0x0000000005BAA000-memory.dmp

memory/2284-4-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-6-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-8-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-10-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-12-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-13-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-14-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2284-17-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-19-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-20-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2244-21-0x00000000744D0000-0x0000000074BBE000-memory.dmp

memory/2284-24-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-25-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-26-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-27-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-28-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-29-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-30-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-31-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-32-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-34-0x00000000003E0000-0x00000000003EA000-memory.dmp

memory/2284-33-0x00000000003E0000-0x00000000003EA000-memory.dmp

memory/2284-35-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-36-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-37-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

memory/3056-41-0x0000000073EA0000-0x000000007458E000-memory.dmp

memory/3056-42-0x0000000000910000-0x00000000010A4000-memory.dmp

memory/2284-43-0x00000000003E0000-0x00000000003EA000-memory.dmp

memory/3056-44-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

memory/324-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

memory/3056-60-0x0000000073EA0000-0x000000007458E000-memory.dmp

memory/2284-63-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-64-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-66-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-67-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/324-69-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/324-71-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-72-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-73-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-74-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-75-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-76-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-77-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-78-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-79-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-80-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2284-81-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1644-99-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/1644-147-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Local\f9be9104\plg\YOjGfKjW.json

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

memory/1332-165-0x0000000073E20000-0x000000007450E000-memory.dmp

memory/1332-166-0x0000000000090000-0x0000000000824000-memory.dmp

memory/1332-167-0x0000000004F80000-0x0000000004FC0000-memory.dmp

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

memory/1332-180-0x0000000073E20000-0x000000007450E000-memory.dmp

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

memory/2728-214-0x0000000073E50000-0x000000007453E000-memory.dmp

memory/2728-215-0x0000000000E50000-0x00000000015E4000-memory.dmp

memory/2728-216-0x0000000000CD0000-0x0000000000D10000-memory.dmp

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

memory/2728-234-0x0000000073E50000-0x000000007453E000-memory.dmp

memory/2308-237-0x0000000000400000-0x00000000007CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-18 18:22

Reported

2023-09-18 18:25

Platform

win10v2004-20230915-en

Max time kernel

21s

Max time network

76s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe"

Signatures

BitRAT

trojan bitrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\hope\hope.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 4908 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 4908 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 4908 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 4908 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 4908 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 4908 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 4908 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 4908 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 4908 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 4908 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe
PID 4908 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 4156 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4156 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4156 wrote to memory of 580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\hope"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.16516.30497_JC.exe" "C:\Users\Admin\AppData\Roaming\hope\hope.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 188

C:\Users\Admin\AppData\Roaming\hope\hope.exe

C:\Users\Admin\AppData\Roaming\hope\hope.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/4908-0-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/4908-1-0x0000000000830000-0x0000000000FC4000-memory.dmp

memory/4908-2-0x0000000005D60000-0x0000000006304000-memory.dmp

memory/4908-3-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/4908-4-0x0000000007310000-0x0000000007A9A000-memory.dmp

memory/4856-6-0x0000000001300000-0x00000000016CE000-memory.dmp

memory/4856-10-0x0000000001300000-0x00000000016CE000-memory.dmp

memory/4908-14-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/4856-16-0x0000000001300000-0x00000000016CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

C:\Users\Admin\AppData\Roaming\hope\hope.exe

MD5 9f42c993b0f9560fce2ac89d5b823b3b
SHA1 7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512 867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379

memory/1140-21-0x0000000074D50000-0x0000000075500000-memory.dmp