bitrat | 4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec

General

Target

4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
Size

4.5MB
MD5

0b032e83c3a78f61fa3bf9cebd5a0242
SHA1

f39705cde333b8c104f0a0381aa85de5a9d40e23
SHA256

4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec
SHA512

776674d9a1e9ec68dd4f2a3d4deaf7eec921b3a306874f15956a70491bf6bb166d7994039dc724afcc1e1ed9150a91116965a79e8a320e37dced402d258e5a77

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

queentaline.ddns.net:1117

Attributes

communication_password
202cb962ac59075b964b07152d234b70
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe

pid	process
3588	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
3588	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
3588	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
3588	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
3588	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe

description	pid	process	target process
PID 2472 set thread context of 3588	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2836 schtasks.exe

pid	process
2836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exepowershell.exe

pid	process
2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
3892	powershell.exe
2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
3892	powershell.exe
3892	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exepowershell.exe4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe

description	pid	process
Token: SeDebugPrivilege	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeShutdownPrivilege	3588	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe

pid	process
3588	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
3588	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe

C:\Users\Admin\AppData\Local\Temp\4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
"C:\Users\Admin\AppData\Local\Temp\4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tXqdqvrsfx.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tXqdqvrsfx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5773.tmp"
2⤵
- Creates scheduled task(s)
PID:2836

C:\Users\Admin\AppData\Local\Temp\4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
"C:\Users\Admin\AppData\Local\Temp\4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe"
2⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
"C:\Users\Admin\AppData\Local\Temp\4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe"
2⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
"C:\Users\Admin\AppData\Local\Temp\4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe"
2⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
"C:\Users\Admin\AppData\Local\Temp\4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5773.tmp
MD5
2f0fb983b8f980e5ff0abc03369227f6

SHA1
9bf20f62456cdf8f40a2038ec7f0dfae2ce7d29a

SHA256
3c6399b73106dea6208232a90fa71f145cfe92f418a0765858c54de6d00e9310

SHA512
8d11fe825a1e988dfe4b2684adecca8f9168605179e20b63453d1906cf8b4bf80e752e813d507459f0d123677ecc5071e12bb72daf5a0d9ee5c81973c08375d3

Download Submit
memory/2472-121-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/2472-117-0x0000000005660000-0x0000000005B5E000-memory.dmp

Filesize
5.0MB

Download
memory/2472-118-0x0000000005160000-0x00000000051F2000-memory.dmp

Filesize
584KB

Download
memory/2472-119-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/2472-120-0x0000000005160000-0x000000000565E000-memory.dmp

Filesize
5.0MB

Download
memory/2472-122-0x0000000007560000-0x00000000075FC000-memory.dmp

Filesize
624KB

Download
memory/2472-123-0x0000000009260000-0x000000000978C000-memory.dmp

Filesize
5.2MB

Download
memory/2472-115-0x0000000000410000-0x000000000089E000-memory.dmp

Filesize
4.6MB

Download
memory/2472-116-0x0000000000410000-0x000000000089E000-memory.dmp

Filesize
4.6MB

Download
memory/2836-125-0x0000000000000000-mapping.dmp

Download
memory/3588-133-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3588-139-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3588-135-0x000000000068A488-mapping.dmp

Download
memory/3892-138-0x00000000077B2000-0x00000000077B3000-memory.dmp

Filesize
4KB

Download
memory/3892-151-0x0000000007DF0000-0x0000000008418000-memory.dmp

Filesize
6.2MB

Download
memory/3892-131-0x0000000007900000-0x0000000007922000-memory.dmp

Filesize
136KB

Download
memory/3892-132-0x0000000007AA0000-0x0000000007B06000-memory.dmp

Filesize
408KB

Download
memory/3892-129-0x0000000004F90000-0x0000000004FC6000-memory.dmp

Filesize
216KB

Download
memory/3892-134-0x0000000007CF0000-0x0000000007D56000-memory.dmp

Filesize
408KB

Download
memory/3892-127-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/3892-137-0x0000000008420000-0x0000000008770000-memory.dmp

Filesize
3.3MB

Download
memory/3892-126-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/3892-124-0x0000000000000000-mapping.dmp

Download
memory/3892-136-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/3892-140-0x0000000007BC0000-0x0000000007BDC000-memory.dmp

Filesize
112KB

Download
memory/3892-141-0x0000000008CC0000-0x0000000008D0B000-memory.dmp

Filesize
300KB

Download
memory/3892-142-0x0000000008A10000-0x0000000008A86000-memory.dmp

Filesize
472KB

Download
memory/3892-143-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/3892-130-0x0000000007DF0000-0x0000000008418000-memory.dmp

Filesize
6.2MB

Download
memory/3892-152-0x0000000009B60000-0x0000000009B93000-memory.dmp

Filesize
204KB

Download
memory/3892-153-0x0000000009B60000-0x0000000009B93000-memory.dmp

Filesize
204KB

Download
memory/3892-154-0x0000000007900000-0x0000000007922000-memory.dmp

Filesize
136KB

Download
memory/3892-155-0x0000000007AA0000-0x0000000007B06000-memory.dmp

Filesize
408KB

Download
memory/3892-156-0x0000000007CF0000-0x0000000007D56000-memory.dmp

Filesize
408KB

Download
memory/3892-157-0x0000000008CC0000-0x0000000008D0B000-memory.dmp

Filesize
300KB

Download
memory/3892-158-0x0000000008A10000-0x0000000008A86000-memory.dmp

Filesize
472KB

Download
memory/3892-159-0x0000000009B40000-0x0000000009B5E000-memory.dmp

Filesize
120KB

Download
memory/3892-164-0x0000000009C90000-0x0000000009D35000-memory.dmp

Filesize
660KB

Download
memory/3892-165-0x0000000009E90000-0x0000000009F24000-memory.dmp

Filesize
592KB

Download
memory/3892-166-0x000000007F460000-0x000000007F461000-memory.dmp

Filesize
4KB

Download
memory/3892-167-0x00000000077B3000-0x00000000077B4000-memory.dmp

Filesize
4KB

Download
memory/3892-360-0x0000000009E20000-0x0000000009E3A000-memory.dmp

Filesize
104KB

Download
memory/3892-365-0x0000000009E20000-0x0000000009E3A000-memory.dmp

Filesize
104KB

Download
memory/3892-366-0x0000000009E10000-0x0000000009E18000-memory.dmp

Filesize
32KB

Download
memory/3892-371-0x0000000009E10000-0x0000000009E18000-memory.dmp

Filesize
32KB

Download

description	pid	process	target process
PID 2472 wrote to memory of 3892	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	powershell.exe
PID 2472 wrote to memory of 3892	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	powershell.exe
PID 2472 wrote to memory of 3892	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	powershell.exe
PID 2472 wrote to memory of 2836	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	schtasks.exe
PID 2472 wrote to memory of 2836	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	schtasks.exe
PID 2472 wrote to memory of 2836	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	schtasks.exe
PID 2472 wrote to memory of 672	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 672	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 672	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 692	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 692	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 692	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 2508	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 2508	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 2508	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 3588	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 3588	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 3588	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 3588	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 3588	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 3588	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 3588	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 3588	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 3588	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 3588	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe
PID 2472 wrote to memory of 3588	2472	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe	4dbfb66b1aca617e4af7d11dcc9d97b11e61e94b188283a8f17f9078df30dbec.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads