Malware Analysis Report

2025-01-03 05:28

Sample ID 230918-xcxjxsca3z
Target SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
Tags
bitrat xenarmor collection password recovery spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55

Threat Level: Known bad

The file SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe was found to be: Known bad.

Malicious Activity Summary

bitrat xenarmor collection password recovery spyware stealer trojan upx

BitRAT

XenArmor Suite

Reads data files stored by FTP clients

Reads local data of messenger clients

UPX packed file

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

ACProtect 1.3x - 1.4x DLL software

Accesses Microsoft Outlook accounts

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-18 18:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-18 18:43

Reported

2023-09-18 18:45

Platform

win7-20230831-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe"

Signatures

BitRAT

trojan bitrat

XenArmor Suite

recovery password xenarmor

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2092 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2092 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2092 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2092 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2092 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2092 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2092 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2092 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2092 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2092 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2092 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2092 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2916 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2916 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2916 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2916 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2916 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2916 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2916 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2916 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2856 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2856 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2856 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2856 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2856 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2856 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2856 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2856 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 568 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 568 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 568 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 568 wrote to memory of 2404 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 2404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 2404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 2404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 2404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 2404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 2404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 2404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 2404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 2404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 2404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 2404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 2404 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Users\Admin\AppData\Roaming\uno\uno.exe
PID 2404 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\uno"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe" "C:\Users\Admin\AppData\Roaming\uno\uno.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe

-a "C:\Users\Admin\AppData\Local\f9be9104\plg\L8gHwOZy.json"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe

-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"

C:\Windows\system32\taskeng.exe

taskeng.exe {E4164597-03C6-489A-BD4F-A8FAE0EB0150} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\uno\uno.exe

C:\Users\Admin\AppData\Roaming\uno\uno.exe

C:\Users\Admin\AppData\Roaming\uno\uno.exe

"C:\Users\Admin\AppData\Roaming\uno\uno.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\uno"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uno\uno.exe" "C:\Users\Admin\AppData\Roaming\uno\uno.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f

C:\Users\Admin\AppData\Roaming\uno\uno.exe

C:\Users\Admin\AppData\Roaming\uno\uno.exe

C:\Users\Admin\AppData\Roaming\uno\uno.exe

"C:\Users\Admin\AppData\Roaming\uno\uno.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\uno"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\uno\uno.exe" "C:\Users\Admin\AppData\Roaming\uno\uno.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f

Network

Country Destination Domain Proto
NL 185.225.75.68:3569 tcp
NL 185.225.75.68:3569 tcp
US 8.8.8.8:53 www.xenarmor.com udp
US 69.64.94.128:80 www.xenarmor.com tcp
NL 185.225.75.68:3569 tcp

Files

memory/2092-0-0x0000000074320000-0x0000000074A0E000-memory.dmp

memory/2092-1-0x0000000001170000-0x000000000190C000-memory.dmp

memory/2092-2-0x0000000000D40000-0x0000000000D80000-memory.dmp

memory/2092-3-0x0000000006C10000-0x000000000739A000-memory.dmp

memory/2916-4-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-5-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-6-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-8-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-9-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-10-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-11-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2916-14-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-16-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2092-19-0x0000000074320000-0x0000000074A0E000-memory.dmp

memory/2916-20-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-21-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-22-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-23-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-24-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-25-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-26-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-27-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-28-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-29-0x00000000001C0000-0x00000000001CA000-memory.dmp

memory/2916-30-0x00000000001C0000-0x00000000001CA000-memory.dmp

memory/2916-31-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-32-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-33-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-34-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-35-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-37-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-36-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-40-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-41-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-42-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-43-0x00000000001C0000-0x00000000001CA000-memory.dmp

memory/2916-44-0x00000000001C0000-0x00000000001CA000-memory.dmp

memory/2916-45-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-46-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-47-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-48-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-49-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-50-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2916-51-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2856-54-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2856-56-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2856-58-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2856-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2856-62-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2916-64-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2856-65-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2856-67-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2856-69-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/2856-68-0x0000000000400000-0x00000000008DC000-memory.dmp

memory/888-93-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/888-95-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/888-97-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/888-105-0x0000000000400000-0x00000000006FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

\Users\Admin\AppData\Local\Temp\Unknown.dll

MD5 86114faba7e1ec4a667d2bcb2e23f024
SHA1 670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256 568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512 d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

memory/888-110-0x0000000010000000-0x0000000010227000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 4f3bde9212e17ef18226866d6ac739b6
SHA1 732733bec8314beb81437e60876ffa75e72ae6cd
SHA256 212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174
SHA512 10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

memory/888-122-0x0000000000400000-0x00000000006FE000-memory.dmp

memory/888-123-0x0000000010000000-0x0000000010227000-memory.dmp

memory/2856-125-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unk.xml

MD5 67efe59fbf8aaf3e8de7d67dab21c2a7
SHA1 0869d3ea3b16639ed4a0803acea1c476e199b16c
SHA256 63ca5c5c3cf4be4765115926225c060d89ef54d6f6fc3ec284cb3ecb398b0cb1
SHA512 75f162ff2cc23dd7df018109264f157727fdecc869e3f493e4d0bed26b4429ab00fc9724a5ea420488ba1b4b102a07992357c0d3567c7acea6dd5333cd8cebbb

C:\Users\Admin\AppData\Local\Temp\License.XenArmor

MD5 bf5da170f7c9a8eae88d1cb1a191ff80
SHA1 dd1b991a1b03587a5d1edc94e919a2070e325610
SHA256 e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd
SHA512 9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

memory/2856-150-0x0000000000400000-0x00000000008DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\uno\uno.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

C:\Users\Admin\AppData\Roaming\uno\uno.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

memory/2404-153-0x0000000073C80000-0x000000007436E000-memory.dmp

C:\Users\Admin\AppData\Local\f9be9104\plg\L8gHwOZy.json

MD5 67efe59fbf8aaf3e8de7d67dab21c2a7
SHA1 0869d3ea3b16639ed4a0803acea1c476e199b16c
SHA256 63ca5c5c3cf4be4765115926225c060d89ef54d6f6fc3ec284cb3ecb398b0cb1
SHA512 75f162ff2cc23dd7df018109264f157727fdecc869e3f493e4d0bed26b4429ab00fc9724a5ea420488ba1b4b102a07992357c0d3567c7acea6dd5333cd8cebbb

memory/2404-158-0x0000000000A60000-0x00000000011FC000-memory.dmp

memory/2404-159-0x00000000052D0000-0x0000000005310000-memory.dmp

C:\Users\Admin\AppData\Roaming\uno\uno.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

memory/2404-177-0x0000000073C80000-0x000000007436E000-memory.dmp

memory/2424-182-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\uno\uno.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

memory/2588-206-0x0000000073C30000-0x000000007431E000-memory.dmp

memory/2588-207-0x0000000001090000-0x000000000182C000-memory.dmp

memory/2588-208-0x0000000000EF0000-0x0000000000F30000-memory.dmp

C:\Users\Admin\AppData\Roaming\uno\uno.exe

MD5 1c9f3c0258e923c07e1943498c789a3d
SHA1 e908faaa5eff19c6b653241253ecc6f28c83f436
SHA256 925329eac4d8dfc71dfd0d222e935b31fb340bbb70367c7abf6553d921b64e55
SHA512 92c16e56ae3d830e2110f97159d6f19fbf91b8bc56d29be207a0da12bd388a0fe68dd13c63dba5266d7d48be9f423d75c1e1e3ec16e6ad1458940f0bb0d0cb0b

memory/2588-220-0x0000000073C30000-0x000000007431E000-memory.dmp

memory/1600-227-0x0000000000400000-0x00000000007CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-18 18:43

Reported

2023-09-18 18:45

Platform

win10v2004-20230915-en

Max time kernel

48s

Max time network

79s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe"

Signatures

BitRAT

trojan bitrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\uno\uno.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2300 set thread context of 4700 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2300 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2300 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2300 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2300 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2300 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2300 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2300 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2300 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2300 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2300 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe
PID 2300 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe C:\Windows\SysWOW64\cmd.exe
PID 3792 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3792 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3792 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6182.9511.exe" "C:\Users\Admin\AppData\Roaming\uno\uno.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\uno"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\uno\uno.exe'" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4700 -ip 4700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 188

C:\Users\Admin\AppData\Roaming\uno\uno.exe

C:\Users\Admin\AppData\Roaming\uno\uno.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp

Files

memory/2300-0-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/2300-1-0x0000000000210000-0x00000000009AC000-memory.dmp

memory/2300-2-0x0000000005AF0000-0x0000000006094000-memory.dmp

memory/2300-3-0x0000000005530000-0x0000000005540000-memory.dmp

memory/2300-4-0x00000000070A0000-0x000000000782A000-memory.dmp

memory/4700-5-0x0000000001180000-0x000000000154E000-memory.dmp

memory/4700-11-0x0000000001180000-0x000000000154E000-memory.dmp

memory/2300-10-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4700-15-0x0000000001180000-0x000000000154E000-memory.dmp

C:\Users\Admin\AppData\Roaming\uno\uno.exe

MD5 aff8a2a49ab013f6fe6f7fe255dd31e7
SHA1 e8c5153c8acd5e0ea0efe79222626a5159d063cc
SHA256 c78e0c6cb34b5fc7ab5c1aabf69d42d7f07e37b1431552c4e7862d906bcdfe67
SHA512 1d324b260a52d4e6214148af169f9d035d16c588520342085157bb87baa1f1ec7512dfe995d3b970fb69c028f4a3aa9b45f9d87f65e1ceadf704c2ce70e17ae2

C:\Users\Admin\AppData\Roaming\uno\uno.exe

MD5 ea30ae25d165b226b698e564b95ee28e
SHA1 821a8ca0bdd5b214a1e3b7212e0dc67b2d9045ff
SHA256 21bbe55ad835118dc524e9beeb0ac8defc6d271d8173b78a5470614e8950e463
SHA512 e8ab8bf02c19020e0a20ddf174d42a8727ff5d40709b1ff5548bfde6ec62e497aa246dbf4d77d3c9f4e950413c7e0a5f80e42706c740a13c61fb5587fe06f68c

memory/4816-20-0x0000000074400000-0x0000000074BB0000-memory.dmp