bitrat | b67e1dc98007c0bf5afa9ca1f840de158cb01eedbce373d791b80059de98b011

General

Target

43e0eed9a47f0eb655af50a9aacd02b1.exe
Size

2.0MB
MD5

43e0eed9a47f0eb655af50a9aacd02b1
SHA1

6dbc00b84c23fc44857bd81cc69fe62430bf9c82
SHA256

b67e1dc98007c0bf5afa9ca1f840de158cb01eedbce373d791b80059de98b011
SHA512

12c160f00b6a50ed84d4e3d90971cad17d67048e291210bef2e8bff8bb8acbfc18f0de26284e1f5289f9612c3efcd1659068f886404cd0e21487a9a109207f75

Score

10^/10

bitrat suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

107.172.44.141:2030

Attributes

communication_password
5f4dcc3b5aa765d61d8327deb882cf99
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1552-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1552-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1552-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1552-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1552-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegSvcs.exe

pid process

1552 RegSvcs.exe
1552 RegSvcs.exe
1552 RegSvcs.exe
1552 RegSvcs.exe
1552 RegSvcs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

43e0eed9a47f0eb655af50a9aacd02b1.exe

description pid process target process

PID 544 set thread context of 1552 544 43e0eed9a47f0eb655af50a9aacd02b1.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

568 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

632 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 632 powershell.exe
Token: SeDebugPrivilege 1552 RegSvcs.exe
Token: SeShutdownPrivilege 1552 RegSvcs.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegSvcs.exe

pid process

1552 RegSvcs.exe
1552 RegSvcs.exe

pid	process
1552	RegSvcs.exe
1552	RegSvcs.exe
1552	RegSvcs.exe
1552	RegSvcs.exe
1552	RegSvcs.exe

description	pid	process	target process
PID 544 set thread context of 1552	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	RegSvcs.exe

pid	process
568	schtasks.exe

pid	process
632	powershell.exe

description	pid	process
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	1552	RegSvcs.exe
Token: SeShutdownPrivilege	1552	RegSvcs.exe

pid	process
1552	RegSvcs.exe
1552	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

43e0eed9a47f0eb655af50a9aacd02b1.exe

description	pid	process	target process
PID 544 wrote to memory of 632	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	powershell.exe
PID 544 wrote to memory of 632	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	powershell.exe
PID 544 wrote to memory of 632	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	powershell.exe
PID 544 wrote to memory of 632	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	powershell.exe
PID 544 wrote to memory of 568	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	schtasks.exe
PID 544 wrote to memory of 568	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	schtasks.exe
PID 544 wrote to memory of 568	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	schtasks.exe
PID 544 wrote to memory of 568	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	schtasks.exe
PID 544 wrote to memory of 1552	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	RegSvcs.exe
PID 544 wrote to memory of 1552	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	RegSvcs.exe
PID 544 wrote to memory of 1552	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	RegSvcs.exe
PID 544 wrote to memory of 1552	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	RegSvcs.exe
PID 544 wrote to memory of 1552	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	RegSvcs.exe
PID 544 wrote to memory of 1552	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	RegSvcs.exe
PID 544 wrote to memory of 1552	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	RegSvcs.exe
PID 544 wrote to memory of 1552	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	RegSvcs.exe
PID 544 wrote to memory of 1552	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	RegSvcs.exe
PID 544 wrote to memory of 1552	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	RegSvcs.exe
PID 544 wrote to memory of 1552	544	43e0eed9a47f0eb655af50a9aacd02b1.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\43e0eed9a47f0eb655af50a9aacd02b1.exe
"C:\Users\Admin\AppData\Local\Temp\43e0eed9a47f0eb655af50a9aacd02b1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aDqFLFeDN.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aDqFLFeDN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp77DE.tmp"
2⤵
- Creates scheduled task(s)
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp77DE.tmp
MD5
1520dea1f9f8afec361aff1cb3bd61f2

SHA1
4cd7a9e1357fd35cb7ff327c76724df6836aa23f

SHA256
cd1fa5ffd7db3ea4e793431bc84b29b6e6fd112a1ea8b101a731a5556bc5f33b

SHA512
6bd5cedc93132dff3bb22c188b02948ce537d401e433b5c053507ec74f4954076707b8326de6b02c84911a46e7b84073c66646eb6896b89864fb580c4cbfd087

Download Submit
memory/544-56-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/544-57-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/544-58-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/544-59-0x0000000007ED0000-0x00000000080DE000-memory.dmp

Filesize
2.1MB

Download
memory/544-54-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/568-61-0x0000000000000000-mapping.dmp

Download
memory/632-72-0x0000000002520000-0x000000000316A000-memory.dmp

Filesize
12.3MB

Download
memory/632-60-0x0000000000000000-mapping.dmp

Download
memory/632-73-0x0000000002520000-0x000000000316A000-memory.dmp

Filesize
12.3MB

Download
memory/1552-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1552-68-0x00000000007E2730-mapping.dmp

Download
memory/1552-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1552-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1552-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1552-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1552-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads