Malware Analysis Report

2025-01-03 05:03

Sample ID 231226-x4dk5afgg2
Target 8833a73cf9b3284a719dff6a8f59f734
SHA256 e48521f8257aa45c2572c48fd198a1dea0aaaa940a9fa32c0191a6c791096805
Tags
bitrat agilenet persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e48521f8257aa45c2572c48fd198a1dea0aaaa940a9fa32c0191a6c791096805

Threat Level: Known bad

The file 8833a73cf9b3284a719dff6a8f59f734 was found to be: Known bad.

Malicious Activity Summary

bitrat agilenet persistence trojan

BitRAT

Drops startup file

Obfuscated with Agile.Net obfuscator

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 19:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 19:24

Reported

2024-01-07 01:54

Platform

win7-20231215-en

Max time kernel

122s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe

"C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
US 92.123.128.181:443 www.bing.com tcp
GB 142.250.200.4:443 www.google.com tcp
US 92.123.128.181:443 www.bing.com tcp

Files

memory/1648-0-0x0000000074BE0000-0x00000000752CE000-memory.dmp

memory/1648-1-0x0000000001060000-0x00000000016DC000-memory.dmp

memory/1648-2-0x0000000005250000-0x0000000005290000-memory.dmp

memory/1648-3-0x0000000074BE0000-0x00000000752CE000-memory.dmp

memory/1648-4-0x0000000005250000-0x0000000005290000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 19:24

Reported

2024-01-07 01:53

Platform

win10v2004-20231222-en

Max time kernel

45s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe"

Signatures

BitRAT

trojan bitrat

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggfjgfguytdffdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jgffghjhgffghjgfd.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe

"C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ggfjgfguytdffdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ggfjgfguytdffdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe"

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.200.250.142.in-addr.arpa udp
US 92.123.128.167:443 www.bing.com tcp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 92.123.128.167:443 www.bing.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 snkno.duckdns.org udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 snkno.duckdns.org udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 snkno.duckdns.org udp
US 8.8.8.8:53 snkno.duckdns.org udp

Files

memory/4584-1-0x0000000000B60000-0x00000000011DC000-memory.dmp

memory/4584-0-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/4584-2-0x0000000005B70000-0x0000000005C0C000-memory.dmp

memory/4584-3-0x0000000006300000-0x00000000068A4000-memory.dmp

memory/4584-5-0x0000000005DF0000-0x0000000006144000-memory.dmp

memory/4584-4-0x0000000005D50000-0x0000000005DE2000-memory.dmp

memory/4584-6-0x00000000062D0000-0x00000000062E0000-memory.dmp

memory/4584-7-0x0000000007620000-0x0000000007648000-memory.dmp

memory/4584-9-0x00000000076A0000-0x00000000076C2000-memory.dmp

memory/4584-8-0x00000000076E0000-0x0000000007746000-memory.dmp

memory/4584-10-0x00000000062D0000-0x00000000062E0000-memory.dmp

memory/4584-11-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/4584-12-0x00000000062D0000-0x00000000062E0000-memory.dmp

memory/4584-13-0x00000000062D0000-0x00000000062E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe

MD5 7553a6fc35539a2dd1ce0e1baec5b1c9
SHA1 ae3ffcbf5eec57b33b28fe4d778626deebc8f2e2
SHA256 1093c4318dbd26a67567a54a2a7447f64750a4911b35de80df6f6ffa14f01482
SHA512 a7e9a04f615e6c61d8675de45f650d564eda5a79aecbe227d2bc8bf2a5a2a5b1f6800fb6779f0dba1bc5bbe3711d8999d4fbd98e05c337eebdb6c7ba2de6e96b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe

MD5 4082db30008af14669372285b353b42e
SHA1 c4f2ff679aaf58fed0225720a74fb81a0ff4e04e
SHA256 b8f4d8a2c50a06b4af7b8d608d7de68b04ccd8a58c8c13960a393913ff1fd8ec
SHA512 e5e068089fafde14ef794623cc5e691c8ce935af86ba9018347a9f08616e6296665cac40c5a5ea0cf735278f451f0eecfec4285c96c9e574b79099c0e0a564c7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe

MD5 47107f9c8c9cba3b6fae857e9a063e27
SHA1 6f2460a2feef09c19441f789b9970a30653772fa
SHA256 4b2c2035d9cbfe00e1ce109bb93ab8b280d4ad87f40c308b31399a8b66cd143f
SHA512 6bf83d68bc8634290fc06809827267a4b183dd439f5641cf00f635979670aa1c78b50f8a303ce3173b9f54c737264d27b567c5eeb1cdbd9433b082d37c8e9f0d

memory/4024-28-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/4584-27-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/4024-29-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/4024-30-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/4024-31-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/4024-32-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/4024-33-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/4024-34-0x0000000004F10000-0x0000000004F24000-memory.dmp

memory/4024-35-0x0000000004F20000-0x0000000004F26000-memory.dmp

memory/3712-37-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-40-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-41-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-39-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5 9827ff3cdf4b83f9c86354606736ca9c
SHA1 e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256 c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA512 8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

memory/3712-42-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-43-0x0000000070320000-0x0000000070359000-memory.dmp

memory/3712-44-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-47-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-50-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-51-0x0000000070240000-0x0000000070279000-memory.dmp

memory/3712-49-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-48-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-46-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-45-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-52-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-54-0x0000000070240000-0x0000000070279000-memory.dmp

memory/3712-53-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-55-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-57-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-58-0x0000000070240000-0x0000000070279000-memory.dmp

memory/3712-56-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-60-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-61-0x0000000070240000-0x0000000070279000-memory.dmp

memory/3712-59-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-64-0x0000000070240000-0x0000000070279000-memory.dmp

memory/3712-63-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3712-62-0x0000000000400000-0x00000000007CE000-memory.dmp