bitrat | b16c4aa0a8ec4b2fc3c6f5323a3bb35f9c4d26c97aeaff4aa874507ffb3339e3

General

Target

PaymentSwift copy.exe
Size

3.4MB
MD5

83dd88ad8154ed07ee4bd902eb84eb2c
SHA1

d6c01ef92834da8a376b555eb9f6da469d3515fc
SHA256

b16c4aa0a8ec4b2fc3c6f5323a3bb35f9c4d26c97aeaff4aa874507ffb3339e3
SHA512

4064cce0cdc088b0e9611182e9a4e7d02fc01531498743458024ed40de78af6e9b827a14284627b9c33111e8bf5347e6378426b27a1c989fd8c90f294bdb1af9

Score

10^/10

bitrat persistence trojan

Malware Config

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2364-119-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat
behavioral2/memory/2364-120-0x0000000000689FA7-mapping.dmp	family_bitrat
behavioral2/memory/2364-121-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PaymentSwift copy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\okspeedwellxx = "\"C:\\Users\\Admin\\AppData\\Local\\okspeedwellxx.exe\""	PaymentSwift copy.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

PaymentSwift copy.exe

pid process

2364 PaymentSwift copy.exe
2364 PaymentSwift copy.exe
2364 PaymentSwift copy.exe
2364 PaymentSwift copy.exe
2364 PaymentSwift copy.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

PaymentSwift copy.exe

description pid process target process

PID 624 set thread context of 2364 624 PaymentSwift copy.exe PaymentSwift copy.exe

pid	process
2364	PaymentSwift copy.exe
2364	PaymentSwift copy.exe
2364	PaymentSwift copy.exe
2364	PaymentSwift copy.exe
2364	PaymentSwift copy.exe

description	pid	process	target process
PID 624 set thread context of 2364	624	PaymentSwift copy.exe	PaymentSwift copy.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

PaymentSwift copy.exe

pid	process
624	PaymentSwift copy.exe
624	PaymentSwift copy.exe
624	PaymentSwift copy.exe
624	PaymentSwift copy.exe
624	PaymentSwift copy.exe
624	PaymentSwift copy.exe
624	PaymentSwift copy.exe
624	PaymentSwift copy.exe
624	PaymentSwift copy.exe
624	PaymentSwift copy.exe
624	PaymentSwift copy.exe
624	PaymentSwift copy.exe
624	PaymentSwift copy.exe
624	PaymentSwift copy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PaymentSwift copy.exePaymentSwift copy.exe

description pid process

Token: SeDebugPrivilege 624 PaymentSwift copy.exe
Token: SeShutdownPrivilege 2364 PaymentSwift copy.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PaymentSwift copy.exe

pid process

2364 PaymentSwift copy.exe
2364 PaymentSwift copy.exe

description	pid	process
Token: SeDebugPrivilege	624	PaymentSwift copy.exe
Token: SeShutdownPrivilege	2364	PaymentSwift copy.exe

pid	process
2364	PaymentSwift copy.exe
2364	PaymentSwift copy.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

PaymentSwift copy.exe

description	pid	process	target process
PID 624 wrote to memory of 2164	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 2164	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 2164	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 1376	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 1376	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 1376	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 3032	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 3032	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 3032	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 2364	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 2364	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 2364	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 2364	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 2364	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 2364	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 2364	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 2364	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 2364	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 2364	624	PaymentSwift copy.exe	PaymentSwift copy.exe
PID 624 wrote to memory of 2364	624	PaymentSwift copy.exe	PaymentSwift copy.exe

C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe
"C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe
"C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"
2⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe
"C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"
2⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe
"C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"
2⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe
"C:\Users\Admin\AppData\Local\Temp\PaymentSwift copy.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/624-114-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/624-116-0x00000000017A0000-0x00000000017A2000-memory.dmp

Filesize
8KB

Download
memory/624-117-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/624-118-0x0000000005610000-0x000000000564C000-memory.dmp

Filesize
240KB

Download
memory/2364-119-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2364-120-0x0000000000689FA7-mapping.dmp

Download
memory/2364-121-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads