bitrat | e6df0473885248cf7c449ac57120d90c000ee847f27452a426d4bb3e7e0fee7a

General

Target

Terms and Conditions pdf.exe
Size

1.1MB
MD5

07d781828a2e31ae1748f114c5fe9fd5
SHA1

e46c87bddf2227c583a2c9e30ee9984db82b32a2
SHA256

e6df0473885248cf7c449ac57120d90c000ee847f27452a426d4bb3e7e0fee7a
SHA512

43f14fb5d51f7e56a1469af96adfb7df3de06a06b58a225f020623f97d44e36f864a5b755c79dad9322edf1da3d557cc271742b77b0e5df46b3796d2003da951

Score

10^/10

bitrat trojan

Malware Config

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT Payload 6 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\sXR9Yi2ETo9Prwpe.exe	family_bitrat
\Users\Admin\AppData\Local\Temp\sXR9Yi2ETo9Prwpe.exe	family_bitrat
\Users\Admin\AppData\Local\Temp\sXR9Yi2ETo9Prwpe.exe	family_bitrat
\Users\Admin\AppData\Local\Temp\sXR9Yi2ETo9Prwpe.exe	family_bitrat
C:\Users\Admin\AppData\Local\Temp\sXR9Yi2ETo9Prwpe.exe	family_bitrat
C:\Users\Admin\AppData\Local\Temp\sXR9Yi2ETo9Prwpe.exe	family_bitrat

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

sXR9Yi2ETo9Prwpe.exe

pid process

1396 sXR9Yi2ETo9Prwpe.exe
Loads dropped DLL 4 IoCs

Processes:

Terms and Conditions pdf.exe

pid process

568 Terms and Conditions pdf.exe
568 Terms and Conditions pdf.exe
568 Terms and Conditions pdf.exe
568 Terms and Conditions pdf.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

sXR9Yi2ETo9Prwpe.exe

pid process

1396 sXR9Yi2ETo9Prwpe.exe
1396 sXR9Yi2ETo9Prwpe.exe
1396 sXR9Yi2ETo9Prwpe.exe
1396 sXR9Yi2ETo9Prwpe.exe
1396 sXR9Yi2ETo9Prwpe.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Terms and Conditions pdf.exe

description pid process target process

PID 1824 set thread context of 568 1824 Terms and Conditions pdf.exe Terms and Conditions pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

464 schtasks.exe

pid	process
1396	sXR9Yi2ETo9Prwpe.exe

pid	process
568	Terms and Conditions pdf.exe
568	Terms and Conditions pdf.exe
568	Terms and Conditions pdf.exe
568	Terms and Conditions pdf.exe

pid	process
1396	sXR9Yi2ETo9Prwpe.exe
1396	sXR9Yi2ETo9Prwpe.exe
1396	sXR9Yi2ETo9Prwpe.exe
1396	sXR9Yi2ETo9Prwpe.exe
1396	sXR9Yi2ETo9Prwpe.exe

description	pid	process	target process
PID 1824 set thread context of 568	1824	Terms and Conditions pdf.exe	Terms and Conditions pdf.exe

pid	process
464	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Terms and Conditions pdf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Terms and Conditions pdf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Terms and Conditions pdf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Terms and Conditions pdf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

sXR9Yi2ETo9Prwpe.exe

description pid process

Token: SeDebugPrivilege 1396 sXR9Yi2ETo9Prwpe.exe
Token: SeShutdownPrivilege 1396 sXR9Yi2ETo9Prwpe.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

sXR9Yi2ETo9Prwpe.exe

pid process

1396 sXR9Yi2ETo9Prwpe.exe
1396 sXR9Yi2ETo9Prwpe.exe

description	pid	process
Token: SeDebugPrivilege	1396	sXR9Yi2ETo9Prwpe.exe
Token: SeShutdownPrivilege	1396	sXR9Yi2ETo9Prwpe.exe

pid	process
1396	sXR9Yi2ETo9Prwpe.exe
1396	sXR9Yi2ETo9Prwpe.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Terms and Conditions pdf.exeTerms and Conditions pdf.exe

description	pid	process	target process
PID 1824 wrote to memory of 464	1824	Terms and Conditions pdf.exe	schtasks.exe
PID 1824 wrote to memory of 464	1824	Terms and Conditions pdf.exe	schtasks.exe
PID 1824 wrote to memory of 464	1824	Terms and Conditions pdf.exe	schtasks.exe
PID 1824 wrote to memory of 464	1824	Terms and Conditions pdf.exe	schtasks.exe
PID 1824 wrote to memory of 568	1824	Terms and Conditions pdf.exe	Terms and Conditions pdf.exe
PID 1824 wrote to memory of 568	1824	Terms and Conditions pdf.exe	Terms and Conditions pdf.exe
PID 1824 wrote to memory of 568	1824	Terms and Conditions pdf.exe	Terms and Conditions pdf.exe
PID 1824 wrote to memory of 568	1824	Terms and Conditions pdf.exe	Terms and Conditions pdf.exe
PID 1824 wrote to memory of 568	1824	Terms and Conditions pdf.exe	Terms and Conditions pdf.exe
PID 1824 wrote to memory of 568	1824	Terms and Conditions pdf.exe	Terms and Conditions pdf.exe
PID 1824 wrote to memory of 568	1824	Terms and Conditions pdf.exe	Terms and Conditions pdf.exe
PID 1824 wrote to memory of 568	1824	Terms and Conditions pdf.exe	Terms and Conditions pdf.exe
PID 1824 wrote to memory of 568	1824	Terms and Conditions pdf.exe	Terms and Conditions pdf.exe
PID 1824 wrote to memory of 568	1824	Terms and Conditions pdf.exe	Terms and Conditions pdf.exe
PID 1824 wrote to memory of 568	1824	Terms and Conditions pdf.exe	Terms and Conditions pdf.exe
PID 1824 wrote to memory of 568	1824	Terms and Conditions pdf.exe	Terms and Conditions pdf.exe
PID 568 wrote to memory of 1396	568	Terms and Conditions pdf.exe	sXR9Yi2ETo9Prwpe.exe
PID 568 wrote to memory of 1396	568	Terms and Conditions pdf.exe	sXR9Yi2ETo9Prwpe.exe
PID 568 wrote to memory of 1396	568	Terms and Conditions pdf.exe	sXR9Yi2ETo9Prwpe.exe
PID 568 wrote to memory of 1396	568	Terms and Conditions pdf.exe	sXR9Yi2ETo9Prwpe.exe

C:\Users\Admin\AppData\Local\Temp\Terms and Conditions pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Terms and Conditions pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zJAQFbftkdPi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B36.tmp"
2⤵
- Creates scheduled task(s)
PID:464

C:\Users\Admin\AppData\Local\Temp\Terms and Conditions pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Terms and Conditions pdf.exe"
2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\sXR9Yi2ETo9Prwpe.exe
"C:\Users\Admin\AppData\Local\Temp\sXR9Yi2ETo9Prwpe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sXR9Yi2ETo9Prwpe.exe
MD5
e39f404f193bd1e12fac9307a43adbed

SHA1
fb2e759fcb30b6e7299922e0e362f9b677162c94

SHA256
6c127e6dbd6095f50768a04c8c7edab47b372cdb4672b9c5ff2c14a44b19582a

SHA512
cb79c094cf29c29e113fc017a51b6f170d40f6110eb90ffade8655ac5a3dc1af4003f805bae80c52c66c9c3c70ce7652dfa34b2a3f7d5c61bd0cb196008d115b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sXR9Yi2ETo9Prwpe.exe
MD5
e39f404f193bd1e12fac9307a43adbed

SHA1
fb2e759fcb30b6e7299922e0e362f9b677162c94

SHA256
6c127e6dbd6095f50768a04c8c7edab47b372cdb4672b9c5ff2c14a44b19582a

SHA512
cb79c094cf29c29e113fc017a51b6f170d40f6110eb90ffade8655ac5a3dc1af4003f805bae80c52c66c9c3c70ce7652dfa34b2a3f7d5c61bd0cb196008d115b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B36.tmp
MD5
9e061889f37da031b2d869aef613276f

SHA1
2e8c9b7a44f1101c3c1c3d6771d99251c0c947db

SHA256
95e09c520e19fecd1444465e8b48bc7c0cd838151bb86f2405fde96cd979e0c3

SHA512
d3ec54d9d59b98ba7cbfaace39f355ae1f6b8061e9b26e70cfa2acdf205d33c88f9c9531588020c3a5dd5024e56a86ee2082b74e12c35e4eb5174658a1914b08

Download Submit
\Users\Admin\AppData\Local\Temp\sXR9Yi2ETo9Prwpe.exe
MD5
e39f404f193bd1e12fac9307a43adbed

SHA1
fb2e759fcb30b6e7299922e0e362f9b677162c94

SHA256
6c127e6dbd6095f50768a04c8c7edab47b372cdb4672b9c5ff2c14a44b19582a

SHA512
cb79c094cf29c29e113fc017a51b6f170d40f6110eb90ffade8655ac5a3dc1af4003f805bae80c52c66c9c3c70ce7652dfa34b2a3f7d5c61bd0cb196008d115b

Download Submit
\Users\Admin\AppData\Local\Temp\sXR9Yi2ETo9Prwpe.exe
MD5
e39f404f193bd1e12fac9307a43adbed

SHA1
fb2e759fcb30b6e7299922e0e362f9b677162c94

SHA256
6c127e6dbd6095f50768a04c8c7edab47b372cdb4672b9c5ff2c14a44b19582a

SHA512
cb79c094cf29c29e113fc017a51b6f170d40f6110eb90ffade8655ac5a3dc1af4003f805bae80c52c66c9c3c70ce7652dfa34b2a3f7d5c61bd0cb196008d115b

Download Submit
\Users\Admin\AppData\Local\Temp\sXR9Yi2ETo9Prwpe.exe
MD5
e39f404f193bd1e12fac9307a43adbed

SHA1
fb2e759fcb30b6e7299922e0e362f9b677162c94

SHA256
6c127e6dbd6095f50768a04c8c7edab47b372cdb4672b9c5ff2c14a44b19582a

SHA512
cb79c094cf29c29e113fc017a51b6f170d40f6110eb90ffade8655ac5a3dc1af4003f805bae80c52c66c9c3c70ce7652dfa34b2a3f7d5c61bd0cb196008d115b

Download Submit
\Users\Admin\AppData\Local\Temp\sXR9Yi2ETo9Prwpe.exe
MD5
e39f404f193bd1e12fac9307a43adbed

SHA1
fb2e759fcb30b6e7299922e0e362f9b677162c94

SHA256
6c127e6dbd6095f50768a04c8c7edab47b372cdb4672b9c5ff2c14a44b19582a

SHA512
cb79c094cf29c29e113fc017a51b6f170d40f6110eb90ffade8655ac5a3dc1af4003f805bae80c52c66c9c3c70ce7652dfa34b2a3f7d5c61bd0cb196008d115b

Download Submit
memory/464-66-0x0000000000000000-mapping.dmp

Download
memory/568-69-0x000000000040AE9E-mapping.dmp

Download
memory/568-70-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/568-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/568-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1396-76-0x0000000000000000-mapping.dmp

Download
memory/1824-60-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1824-65-0x0000000004C10000-0x0000000004C60000-memory.dmp

Filesize
320KB

Download
memory/1824-64-0x00000000051B0000-0x0000000005232000-memory.dmp

Filesize
520KB

Download
memory/1824-63-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/1824-62-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads