bitrat | 9fcd74ab400531e530fc20dd5cb71635dd8f8aac2deea7d749284d976ea0a629

Analysis

max time kernel
159s
max time network
158s
platform
windows7_x64
resource
win7-en-20211104
submitted
04-11-2021 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49c3b146f9734caa1f3ffb3b273238f3.exe
Size

16KB
MD5

49c3b146f9734caa1f3ffb3b273238f3
SHA1

c2c3955cd049f3cfcaf1f926e660712850beccc3
SHA256

9fcd74ab400531e530fc20dd5cb71635dd8f8aac2deea7d749284d976ea0a629
SHA512

bf33e890ba8fe22aa9a1cfa8757867f0d4010522c82dccbb47e16d376ec66566093056757895edf15d98d9f4f9c2a0f1ffcae4eebd9b6bdb8ed5b43eb0ddd001

Score

10^/10

bitrat raccoon a8df9e1d3d24b04502963590a8ed392d88ab1b96 persistence stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

a8df9e1d3d24b04502963590a8ed392d88ab1b96

Attributes

url4cnc
http://telegin.top/opticillusionlusy
http://ttmirror.top/opticillusionlusy
http://teletele.top/opticillusionlusy
http://telegalive.top/opticillusionlusy
http://toptelete.top/opticillusionlusy
http://telegraf.top/opticillusionlusy
https://t.me/opticillusionlusy

rc4.plain

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/928-86-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat
behavioral1/memory/928-87-0x000000000068A488-mapping.dmp	family_bitrat
behavioral1/memory/1996-91-0x0000000000BE0000-0x0000000000FA5000-memory.dmp	family_bitrat
behavioral1/memory/928-92-0x0000000000400000-0x00000000007CE000-memory.dmp	family_bitrat

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

fontdrvhost.exeRuntimeBroker.exeRuntimeBroker.exe

pid process

956 fontdrvhost.exe
1996 RuntimeBroker.exe
928 RuntimeBroker.exe

pid	process
956	fontdrvhost.exe
1996	RuntimeBroker.exe
928	RuntimeBroker.exe

Loads dropped DLL 4 IoCs

Processes:

49c3b146f9734caa1f3ffb3b273238f3.exe

pid	process
320	49c3b146f9734caa1f3ffb3b273238f3.exe
320	49c3b146f9734caa1f3ffb3b273238f3.exe
320	49c3b146f9734caa1f3ffb3b273238f3.exe
320	49c3b146f9734caa1f3ffb3b273238f3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe"	RuntimeBroker.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RuntimeBroker.exe

pid process

928 RuntimeBroker.exe
928 RuntimeBroker.exe
928 RuntimeBroker.exe
928 RuntimeBroker.exe
928 RuntimeBroker.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

RuntimeBroker.exe

description pid process target process

PID 1996 set thread context of 928 1996 RuntimeBroker.exe RuntimeBroker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1396 powershell.exe
1552 powershell.exe

pid	process
928	RuntimeBroker.exe
928	RuntimeBroker.exe
928	RuntimeBroker.exe
928	RuntimeBroker.exe
928	RuntimeBroker.exe

description	pid	process	target process
PID 1996 set thread context of 928	1996	RuntimeBroker.exe	RuntimeBroker.exe

pid	process
1396	powershell.exe
1552	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

49c3b146f9734caa1f3ffb3b273238f3.exepowershell.exepowershell.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	320	49c3b146f9734caa1f3ffb3b273238f3.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	928	RuntimeBroker.exe
Token: SeShutdownPrivilege	928	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RuntimeBroker.exe

pid process

928 RuntimeBroker.exe
928 RuntimeBroker.exe

pid	process
928	RuntimeBroker.exe
928	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

49c3b146f9734caa1f3ffb3b273238f3.execmd.execmd.exeRuntimeBroker.exe

description	pid	process	target process
PID 320 wrote to memory of 1496	320	49c3b146f9734caa1f3ffb3b273238f3.exe	cmd.exe
PID 320 wrote to memory of 1496	320	49c3b146f9734caa1f3ffb3b273238f3.exe	cmd.exe
PID 320 wrote to memory of 1496	320	49c3b146f9734caa1f3ffb3b273238f3.exe	cmd.exe
PID 320 wrote to memory of 1496	320	49c3b146f9734caa1f3ffb3b273238f3.exe	cmd.exe
PID 320 wrote to memory of 816	320	49c3b146f9734caa1f3ffb3b273238f3.exe	cmd.exe
PID 320 wrote to memory of 816	320	49c3b146f9734caa1f3ffb3b273238f3.exe	cmd.exe
PID 320 wrote to memory of 816	320	49c3b146f9734caa1f3ffb3b273238f3.exe	cmd.exe
PID 320 wrote to memory of 816	320	49c3b146f9734caa1f3ffb3b273238f3.exe	cmd.exe
PID 1496 wrote to memory of 1552	1496	cmd.exe	powershell.exe
PID 1496 wrote to memory of 1552	1496	cmd.exe	powershell.exe
PID 1496 wrote to memory of 1552	1496	cmd.exe	powershell.exe
PID 1496 wrote to memory of 1552	1496	cmd.exe	powershell.exe
PID 816 wrote to memory of 1396	816	cmd.exe	powershell.exe
PID 816 wrote to memory of 1396	816	cmd.exe	powershell.exe
PID 816 wrote to memory of 1396	816	cmd.exe	powershell.exe
PID 816 wrote to memory of 1396	816	cmd.exe	powershell.exe
PID 320 wrote to memory of 956	320	49c3b146f9734caa1f3ffb3b273238f3.exe	fontdrvhost.exe
PID 320 wrote to memory of 956	320	49c3b146f9734caa1f3ffb3b273238f3.exe	fontdrvhost.exe
PID 320 wrote to memory of 956	320	49c3b146f9734caa1f3ffb3b273238f3.exe	fontdrvhost.exe
PID 320 wrote to memory of 956	320	49c3b146f9734caa1f3ffb3b273238f3.exe	fontdrvhost.exe
PID 320 wrote to memory of 1996	320	49c3b146f9734caa1f3ffb3b273238f3.exe	RuntimeBroker.exe
PID 320 wrote to memory of 1996	320	49c3b146f9734caa1f3ffb3b273238f3.exe	RuntimeBroker.exe
PID 320 wrote to memory of 1996	320	49c3b146f9734caa1f3ffb3b273238f3.exe	RuntimeBroker.exe
PID 320 wrote to memory of 1996	320	49c3b146f9734caa1f3ffb3b273238f3.exe	RuntimeBroker.exe
PID 1996 wrote to memory of 928	1996	RuntimeBroker.exe	RuntimeBroker.exe
PID 1996 wrote to memory of 928	1996	RuntimeBroker.exe	RuntimeBroker.exe
PID 1996 wrote to memory of 928	1996	RuntimeBroker.exe	RuntimeBroker.exe
PID 1996 wrote to memory of 928	1996	RuntimeBroker.exe	RuntimeBroker.exe
PID 1996 wrote to memory of 928	1996	RuntimeBroker.exe	RuntimeBroker.exe
PID 1996 wrote to memory of 928	1996	RuntimeBroker.exe	RuntimeBroker.exe
PID 1996 wrote to memory of 928	1996	RuntimeBroker.exe	RuntimeBroker.exe
PID 1996 wrote to memory of 928	1996	RuntimeBroker.exe	RuntimeBroker.exe
PID 1996 wrote to memory of 928	1996	RuntimeBroker.exe	RuntimeBroker.exe
PID 1996 wrote to memory of 928	1996	RuntimeBroker.exe	RuntimeBroker.exe
PID 1996 wrote to memory of 928	1996	RuntimeBroker.exe	RuntimeBroker.exe
PID 1996 wrote to memory of 928	1996	RuntimeBroker.exe	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\49c3b146f9734caa1f3ffb3b273238f3.exe
"C:\Users\Admin\AppData\Local\Temp\49c3b146f9734caa1f3ffb3b273238f3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\hosts.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0))
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\hosts.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0))
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Users\Admin\AppData\Roaming\fontdrvhost.exe
"C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"
2⤵
- Executes dropped EXE
PID:956

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
da5d9fb816ba3d5ffb77be80223331bc

SHA1
7e6aecaf322feedf459abf0a24b7f0ecb5de64af

SHA256
5c9086eb3cfb5f68b1ff789c8ca28840af21b9b3a797c733a2cb1036c416e8f4

SHA512
c5a03a1e5c46717645ed9fbaa553e6454abd7c5e93e968c382a6a4cbb1e67856486eb110bc96b43b238459d1f742068313b7a27e6aadd76fc38950edad69480b

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
MD5
0c547b07b9b62d970cde94b18a34b0f8

SHA1
fcb33a1367e12990028abf542ca57eeb4c4c5fb4

SHA256
bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171

SHA512
b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
MD5
0c547b07b9b62d970cde94b18a34b0f8

SHA1
fcb33a1367e12990028abf542ca57eeb4c4c5fb4

SHA256
bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171

SHA512
b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
MD5
0c547b07b9b62d970cde94b18a34b0f8

SHA1
fcb33a1367e12990028abf542ca57eeb4c4c5fb4

SHA256
bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171

SHA512
b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1

Download Submit
C:\Users\Admin\AppData\Roaming\fontdrvhost.exe
MD5
4eb5d05f73f6edc4673409b03ee325cf

SHA1
f210931bedf25533129b87eee16573e618887d80

SHA256
4a0129093fc5f3fb58bfebae5d9ea7fe99e2871ead13f12612606e9e2aed261d

SHA512
c3370f853e23527bd22dae9ce6cf39d023d4a9c9b17b23a5cdb717e085f5c3b7160e0756674bf0519cd6717b81e68911e9896488b0c342007e114047b46fd231

Download Submit
C:\Users\Admin\hosts.bat
MD5
633dd29d37554e063e8700af0a882724

SHA1
2994a70ff1769fdea7f06bbfe58d8d665caca6b8

SHA256
dfe6d785e2c1082e1249b081a172c31904d83ea125929e2dca0c41312e9bf2a8

SHA512
b25684dab562afd12015058cafc5549b265a7ad38be8d44f3659690b21f723240a1732895dbcf77856973e6e2153a7c0841693a7991b7938a498c602537aa334

Download Submit
\Users\Admin\AppData\Roaming\RuntimeBroker.exe
MD5
0c547b07b9b62d970cde94b18a34b0f8

SHA1
fcb33a1367e12990028abf542ca57eeb4c4c5fb4

SHA256
bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171

SHA512
b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1

Download Submit
\Users\Admin\AppData\Roaming\RuntimeBroker.exe
MD5
0c547b07b9b62d970cde94b18a34b0f8

SHA1
fcb33a1367e12990028abf542ca57eeb4c4c5fb4

SHA256
bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171

SHA512
b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1

Download Submit
\Users\Admin\AppData\Roaming\fontdrvhost.exe
MD5
4eb5d05f73f6edc4673409b03ee325cf

SHA1
f210931bedf25533129b87eee16573e618887d80

SHA256
4a0129093fc5f3fb58bfebae5d9ea7fe99e2871ead13f12612606e9e2aed261d

SHA512
c3370f853e23527bd22dae9ce6cf39d023d4a9c9b17b23a5cdb717e085f5c3b7160e0756674bf0519cd6717b81e68911e9896488b0c342007e114047b46fd231

Download Submit
\Users\Admin\AppData\Roaming\fontdrvhost.exe
MD5
4eb5d05f73f6edc4673409b03ee325cf

SHA1
f210931bedf25533129b87eee16573e618887d80

SHA256
4a0129093fc5f3fb58bfebae5d9ea7fe99e2871ead13f12612606e9e2aed261d

SHA512
c3370f853e23527bd22dae9ce6cf39d023d4a9c9b17b23a5cdb717e085f5c3b7160e0756674bf0519cd6717b81e68911e9896488b0c342007e114047b46fd231

Download Submit
memory/320-69-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/320-55-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/320-57-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/816-59-0x0000000000000000-mapping.dmp

Download
memory/928-87-0x000000000068A488-mapping.dmp

Download
memory/928-86-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/928-92-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/956-83-0x0000000000320000-0x00000000003AE000-memory.dmp

Filesize
568KB

Download
memory/956-82-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/956-75-0x0000000000000000-mapping.dmp

Download
memory/956-84-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1396-67-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1396-72-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1396-62-0x0000000000000000-mapping.dmp

Download
memory/1396-70-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/1496-58-0x0000000000000000-mapping.dmp

Download
memory/1552-66-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/1552-68-0x00000000021C1000-0x00000000021C2000-memory.dmp

Filesize
4KB

Download
memory/1552-61-0x0000000000000000-mapping.dmp

Download
memory/1552-71-0x00000000021C2000-0x00000000021C4000-memory.dmp

Filesize
8KB

Download
memory/1996-79-0x0000000000000000-mapping.dmp

Download
memory/1996-91-0x0000000000BE0000-0x0000000000FA5000-memory.dmp

Filesize
3.8MB

Download
memory/1996-90-0x00000000009F0000-0x0000000000BD4000-memory.dmp

Filesize
1.9MB

Download