bitrat | ac84f24af4ee7638d9ee6c5d4b080130a7e1055e5f9bfbc1991dc889a03f664c

General

Target

1a95f16a_by_Libranalysis.exe
Size

2.1MB
MD5

1a95f16ac6f8c8c58a328d10e4263e9b
SHA1

12ce6530ec3c85cd2b1c5b58ab727fc2cc82217b
SHA256

ac84f24af4ee7638d9ee6c5d4b080130a7e1055e5f9bfbc1991dc889a03f664c
SHA512

f61a24cf4338e656672e76611a8b60c63da3eec4447a56c995a0b2d4662bfec8b155b67f67c7f1527feae75ccccc24c333989b3c73836ae2dbae70b5a8aaf0d1

Score

10^/10

bitrat persistence trojan upx

Malware Config

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2248-126-0x00000000007E23D0-mapping.dmp	family_bitrat

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2248-125-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2248-127-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1a95f16a_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\antivirusscamdefenderlog = "C:\\Users\\Admin\\AppData\\Local\\antivirusscamdefenderlogss\\antivirusscamdefenderlog.exe"	1a95f16a_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\antivirusscamdefenderlog = "C:\\Users\\Admin\\AppData\\Local\\antivirusscamdefenderlogss\\antivirusscamdefenderlog.exeԀ"	1a95f16a_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\antivirusscamdefenderlog = "C:\\Users\\Admin\\AppData\\Local\\antivirusscamdefenderlogss\\antivirusscamdefenderlog.exe洀"	1a95f16a_by_Libranalysis.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

1a95f16a_by_Libranalysis.exe

pid process

2248 1a95f16a_by_Libranalysis.exe
2248 1a95f16a_by_Libranalysis.exe
2248 1a95f16a_by_Libranalysis.exe
2248 1a95f16a_by_Libranalysis.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1a95f16a_by_Libranalysis.exe

description pid process target process

PID 1908 set thread context of 2248 1908 1a95f16a_by_Libranalysis.exe 1a95f16a_by_Libranalysis.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1a95f16a_by_Libranalysis.exe

pid process

1908 1a95f16a_by_Libranalysis.exe
1908 1a95f16a_by_Libranalysis.exe
1908 1a95f16a_by_Libranalysis.exe
1908 1a95f16a_by_Libranalysis.exe

description	pid	process	target process
PID 1908 set thread context of 2248	1908	1a95f16a_by_Libranalysis.exe	1a95f16a_by_Libranalysis.exe

pid	process
1908	1a95f16a_by_Libranalysis.exe
1908	1a95f16a_by_Libranalysis.exe
1908	1a95f16a_by_Libranalysis.exe
1908	1a95f16a_by_Libranalysis.exe

Suspicious behavior: RenamesItself 8 IoCs

Processes:

1a95f16a_by_Libranalysis.exe

pid	process
2248	1a95f16a_by_Libranalysis.exe
2248	1a95f16a_by_Libranalysis.exe
2248	1a95f16a_by_Libranalysis.exe
2248	1a95f16a_by_Libranalysis.exe
2248	1a95f16a_by_Libranalysis.exe
2248	1a95f16a_by_Libranalysis.exe
2248	1a95f16a_by_Libranalysis.exe
2248	1a95f16a_by_Libranalysis.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1a95f16a_by_Libranalysis.exe1a95f16a_by_Libranalysis.exe

description pid process

Token: SeDebugPrivilege 1908 1a95f16a_by_Libranalysis.exe
Token: SeShutdownPrivilege 2248 1a95f16a_by_Libranalysis.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1a95f16a_by_Libranalysis.exe

pid process

2248 1a95f16a_by_Libranalysis.exe
2248 1a95f16a_by_Libranalysis.exe

description	pid	process
Token: SeDebugPrivilege	1908	1a95f16a_by_Libranalysis.exe
Token: SeShutdownPrivilege	2248	1a95f16a_by_Libranalysis.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

1a95f16a_by_Libranalysis.exe

description	pid	process	target process
PID 1908 wrote to memory of 3744	1908	1a95f16a_by_Libranalysis.exe	1a95f16a_by_Libranalysis.exe
PID 1908 wrote to memory of 3744	1908	1a95f16a_by_Libranalysis.exe	1a95f16a_by_Libranalysis.exe
PID 1908 wrote to memory of 3744	1908	1a95f16a_by_Libranalysis.exe	1a95f16a_by_Libranalysis.exe
PID 1908 wrote to memory of 3416	1908	1a95f16a_by_Libranalysis.exe	1a95f16a_by_Libranalysis.exe
PID 1908 wrote to memory of 3416	1908	1a95f16a_by_Libranalysis.exe	1a95f16a_by_Libranalysis.exe
PID 1908 wrote to memory of 3416	1908	1a95f16a_by_Libranalysis.exe	1a95f16a_by_Libranalysis.exe
PID 1908 wrote to memory of 2248	1908	1a95f16a_by_Libranalysis.exe	1a95f16a_by_Libranalysis.exe
PID 1908 wrote to memory of 2248	1908	1a95f16a_by_Libranalysis.exe	1a95f16a_by_Libranalysis.exe
PID 1908 wrote to memory of 2248	1908	1a95f16a_by_Libranalysis.exe	1a95f16a_by_Libranalysis.exe
PID 1908 wrote to memory of 2248	1908	1a95f16a_by_Libranalysis.exe	1a95f16a_by_Libranalysis.exe
PID 1908 wrote to memory of 2248	1908	1a95f16a_by_Libranalysis.exe	1a95f16a_by_Libranalysis.exe
PID 1908 wrote to memory of 2248	1908	1a95f16a_by_Libranalysis.exe	1a95f16a_by_Libranalysis.exe
PID 1908 wrote to memory of 2248	1908	1a95f16a_by_Libranalysis.exe	1a95f16a_by_Libranalysis.exe

C:\Users\Admin\AppData\Local\Temp\1a95f16a_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\1a95f16a_by_Libranalysis.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\1a95f16a_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\1a95f16a_by_Libranalysis.exe"
2⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\1a95f16a_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\1a95f16a_by_Libranalysis.exe"
2⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\1a95f16a_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\1a95f16a_by_Libranalysis.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-114-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1908-116-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/1908-117-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/1908-118-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/1908-119-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/1908-120-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/1908-121-0x0000000005840000-0x0000000005D3E000-memory.dmp

Filesize
5.0MB

Download
memory/1908-122-0x0000000005BB0000-0x0000000005BBE000-memory.dmp

Filesize
56KB

Download
memory/1908-123-0x00000000069E0000-0x0000000006BA8000-memory.dmp

Filesize
1.8MB

Download
memory/1908-124-0x0000000009FA0000-0x000000000A119000-memory.dmp

Filesize
1.5MB

Download
memory/2248-125-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2248-126-0x00000000007E23D0-mapping.dmp

Download
memory/2248-127-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads