bitrat | 1df11ec4ef8cfeda563e1103d5e0cdc4ed10601b37e0ea9f93be82433ab68c72

General

Target

2.exe
Size

785KB
MD5

751cfacd6de472704d072d56cd27769e
SHA1

733fd283e27fedb060e4b841f4737a28ba126600
SHA256

1df11ec4ef8cfeda563e1103d5e0cdc4ed10601b37e0ea9f93be82433ab68c72
SHA512

b036ad1a18b920fe56686d6a8b699286dc646bf992823617b73b1f7bae7197ffe1ebc80999a861cab92bf97fcb6855cdcef061d8bf5a27631179b467ffec2d39

Score

10^/10

bitrat evasion persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

severdops.ddns.net:3071

Attributes

communication_password
29ef52e7563626a96cea7f4b4085c124
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

rkF4alM9xO3IvYKF.exe

pid process

1968 rkF4alM9xO3IvYKF.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1936-95-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral1/memory/1936-96-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral1/memory/1936-97-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral1/memory/1936-101-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral1/memory/1936-98-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral1/memory/1936-103-0x0000000000400000-0x00000000007E5000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

2.exe

pid process

108 2.exe
108 2.exe
108 2.exe
108 2.exe
108 2.exe

pid	process
108	2.exe
108	2.exe
108	2.exe
108	2.exe
108	2.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

rkF4alM9xO3IvYKF.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	rkF4alM9xO3IvYKF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	rkF4alM9xO3IvYKF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\SHININESSESAAC\svchost.exe = "0"	rkF4alM9xO3IvYKF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\rkF4alM9xO3IvYKF.exe = "0"	rkF4alM9xO3IvYKF.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rkF4alM9xO3IvYKF.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\TALISMANSCBF = "C:\\Windows\\Resources\\Themes\\SHININESSESAAC\\svchost.exe"	rkF4alM9xO3IvYKF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\TALISMANSCBF = "C:\\Windows\\Resources\\Themes\\SHININESSESAAC\\svchost.exe"	rkF4alM9xO3IvYKF.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

ServiceModelReg.exe

pid process

1936 ServiceModelReg.exe
1936 ServiceModelReg.exe
1936 ServiceModelReg.exe
1936 ServiceModelReg.exe
1936 ServiceModelReg.exe

pid	process
1936	ServiceModelReg.exe
1936	ServiceModelReg.exe
1936	ServiceModelReg.exe
1936	ServiceModelReg.exe
1936	ServiceModelReg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2.exerkF4alM9xO3IvYKF.exe

description	pid	process	target process
PID 1932 set thread context of 108	1932	2.exe	2.exe
PID 1968 set thread context of 1936	1968	rkF4alM9xO3IvYKF.exe	ServiceModelReg.exe

Drops file in Windows directory 2 IoCs

Processes:

rkF4alM9xO3IvYKF.exe

description	ioc	process
File created	C:\Windows\Resources\Themes\SHININESSESAAC\svchost.exe	rkF4alM9xO3IvYKF.exe
File opened for modification	C:\Windows\Resources\Themes\SHININESSESAAC	rkF4alM9xO3IvYKF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

rkF4alM9xO3IvYKF.exepowershell.exepowershell.exepowershell.exe

pid	process
1968	rkF4alM9xO3IvYKF.exe
1968	rkF4alM9xO3IvYKF.exe
1968	rkF4alM9xO3IvYKF.exe
1968	rkF4alM9xO3IvYKF.exe
1968	rkF4alM9xO3IvYKF.exe
1968	rkF4alM9xO3IvYKF.exe
1968	rkF4alM9xO3IvYKF.exe
1968	rkF4alM9xO3IvYKF.exe
916	powershell.exe
1748	powershell.exe
920	powershell.exe
1968	rkF4alM9xO3IvYKF.exe
1968	rkF4alM9xO3IvYKF.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

rkF4alM9xO3IvYKF.exepowershell.exepowershell.exepowershell.exeServiceModelReg.exe

description	pid	process
Token: SeDebugPrivilege	1968	rkF4alM9xO3IvYKF.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	1936	ServiceModelReg.exe
Token: SeShutdownPrivilege	1936	ServiceModelReg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ServiceModelReg.exe

pid process

1936 ServiceModelReg.exe
1936 ServiceModelReg.exe

pid	process
1936	ServiceModelReg.exe
1936	ServiceModelReg.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

2.exe2.exerkF4alM9xO3IvYKF.exe

description	pid	process	target process
PID 1932 wrote to memory of 108	1932	2.exe	2.exe
PID 1932 wrote to memory of 108	1932	2.exe	2.exe
PID 1932 wrote to memory of 108	1932	2.exe	2.exe
PID 1932 wrote to memory of 108	1932	2.exe	2.exe
PID 1932 wrote to memory of 108	1932	2.exe	2.exe
PID 1932 wrote to memory of 108	1932	2.exe	2.exe
PID 1932 wrote to memory of 108	1932	2.exe	2.exe
PID 1932 wrote to memory of 108	1932	2.exe	2.exe
PID 1932 wrote to memory of 108	1932	2.exe	2.exe
PID 1932 wrote to memory of 108	1932	2.exe	2.exe
PID 1932 wrote to memory of 108	1932	2.exe	2.exe
PID 1932 wrote to memory of 108	1932	2.exe	2.exe
PID 108 wrote to memory of 1968	108	2.exe	rkF4alM9xO3IvYKF.exe
PID 108 wrote to memory of 1968	108	2.exe	rkF4alM9xO3IvYKF.exe
PID 108 wrote to memory of 1968	108	2.exe	rkF4alM9xO3IvYKF.exe
PID 108 wrote to memory of 1968	108	2.exe	rkF4alM9xO3IvYKF.exe
PID 1968 wrote to memory of 1748	1968	rkF4alM9xO3IvYKF.exe	powershell.exe
PID 1968 wrote to memory of 1748	1968	rkF4alM9xO3IvYKF.exe	powershell.exe
PID 1968 wrote to memory of 1748	1968	rkF4alM9xO3IvYKF.exe	powershell.exe
PID 1968 wrote to memory of 1748	1968	rkF4alM9xO3IvYKF.exe	powershell.exe
PID 1968 wrote to memory of 920	1968	rkF4alM9xO3IvYKF.exe	powershell.exe
PID 1968 wrote to memory of 920	1968	rkF4alM9xO3IvYKF.exe	powershell.exe
PID 1968 wrote to memory of 920	1968	rkF4alM9xO3IvYKF.exe	powershell.exe
PID 1968 wrote to memory of 920	1968	rkF4alM9xO3IvYKF.exe	powershell.exe
PID 1968 wrote to memory of 916	1968	rkF4alM9xO3IvYKF.exe	powershell.exe
PID 1968 wrote to memory of 916	1968	rkF4alM9xO3IvYKF.exe	powershell.exe
PID 1968 wrote to memory of 916	1968	rkF4alM9xO3IvYKF.exe	powershell.exe
PID 1968 wrote to memory of 916	1968	rkF4alM9xO3IvYKF.exe	powershell.exe
PID 1968 wrote to memory of 1936	1968	rkF4alM9xO3IvYKF.exe	ServiceModelReg.exe
PID 1968 wrote to memory of 1936	1968	rkF4alM9xO3IvYKF.exe	ServiceModelReg.exe
PID 1968 wrote to memory of 1936	1968	rkF4alM9xO3IvYKF.exe	ServiceModelReg.exe
PID 1968 wrote to memory of 1936	1968	rkF4alM9xO3IvYKF.exe	ServiceModelReg.exe
PID 1968 wrote to memory of 1936	1968	rkF4alM9xO3IvYKF.exe	ServiceModelReg.exe
PID 1968 wrote to memory of 1936	1968	rkF4alM9xO3IvYKF.exe	ServiceModelReg.exe
PID 1968 wrote to memory of 1936	1968	rkF4alM9xO3IvYKF.exe	ServiceModelReg.exe
PID 1968 wrote to memory of 1936	1968	rkF4alM9xO3IvYKF.exe	ServiceModelReg.exe
PID 1968 wrote to memory of 1936	1968	rkF4alM9xO3IvYKF.exe	ServiceModelReg.exe
PID 1968 wrote to memory of 1936	1968	rkF4alM9xO3IvYKF.exe	ServiceModelReg.exe
PID 1968 wrote to memory of 1936	1968	rkF4alM9xO3IvYKF.exe	ServiceModelReg.exe
PID 1968 wrote to memory of 1936	1968	rkF4alM9xO3IvYKF.exe	ServiceModelReg.exe

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108

C:\Users\Admin\AppData\Local\Temp\rkF4alM9xO3IvYKF.exe
"C:\Users\Admin\AppData\Local\Temp\rkF4alM9xO3IvYKF.exe"
3⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\SHININESSESAAC\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\SHININESSESAAC\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\rkF4alM9xO3IvYKF.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rkF4alM9xO3IvYKF.exe
MD5
8725525b3969fc1c1e01f8ec7eab1ed9

SHA1
0672c99376928faba1db5add67833606e0d73529

SHA256
58004218b37d36f47da2c5946cac4693e9aea741a0b3a02b823862aec085454b

SHA512
5f7b18430aee1e18ecf32eec5d825f7473258a715143df64c19ed703e011a7cf9da40815c4e2b4ea8677c1e6b97dfe0fd74079eaedd102ec2f801776c851cb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkF4alM9xO3IvYKF.exe
MD5
8725525b3969fc1c1e01f8ec7eab1ed9

SHA1
0672c99376928faba1db5add67833606e0d73529

SHA256
58004218b37d36f47da2c5946cac4693e9aea741a0b3a02b823862aec085454b

SHA512
5f7b18430aee1e18ecf32eec5d825f7473258a715143df64c19ed703e011a7cf9da40815c4e2b4ea8677c1e6b97dfe0fd74079eaedd102ec2f801776c851cb85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
a58a6d5b117cd64d3c7e3b7d86eb4ec6

SHA1
88e87edf7df5604a3b404b0826055f45dcd139e9

SHA256
b5df54907ca49c7689c593089ea2205c62726c32cd41dcaa31cdcd4c1a880c5f

SHA512
6364db98f2e2d708898b0306308db6151588991453d894ada83a4571552e1d8891983ced5e1b91e31a9cdb784c1305467649064c64e11a754192e5b3ce27432b

Download Submit
\Users\Admin\AppData\Local\Temp\rkF4alM9xO3IvYKF.exe
MD5
8725525b3969fc1c1e01f8ec7eab1ed9

SHA1
0672c99376928faba1db5add67833606e0d73529

SHA256
58004218b37d36f47da2c5946cac4693e9aea741a0b3a02b823862aec085454b

SHA512
5f7b18430aee1e18ecf32eec5d825f7473258a715143df64c19ed703e011a7cf9da40815c4e2b4ea8677c1e6b97dfe0fd74079eaedd102ec2f801776c851cb85

Download Submit
\Users\Admin\AppData\Local\Temp\rkF4alM9xO3IvYKF.exe
MD5
8725525b3969fc1c1e01f8ec7eab1ed9

SHA1
0672c99376928faba1db5add67833606e0d73529

SHA256
58004218b37d36f47da2c5946cac4693e9aea741a0b3a02b823862aec085454b

SHA512
5f7b18430aee1e18ecf32eec5d825f7473258a715143df64c19ed703e011a7cf9da40815c4e2b4ea8677c1e6b97dfe0fd74079eaedd102ec2f801776c851cb85

Download Submit
\Users\Admin\AppData\Local\Temp\rkF4alM9xO3IvYKF.exe
MD5
8725525b3969fc1c1e01f8ec7eab1ed9

SHA1
0672c99376928faba1db5add67833606e0d73529

SHA256
58004218b37d36f47da2c5946cac4693e9aea741a0b3a02b823862aec085454b

SHA512
5f7b18430aee1e18ecf32eec5d825f7473258a715143df64c19ed703e011a7cf9da40815c4e2b4ea8677c1e6b97dfe0fd74079eaedd102ec2f801776c851cb85

Download Submit
\Users\Admin\AppData\Local\Temp\rkF4alM9xO3IvYKF.exe
MD5
8725525b3969fc1c1e01f8ec7eab1ed9

SHA1
0672c99376928faba1db5add67833606e0d73529

SHA256
58004218b37d36f47da2c5946cac4693e9aea741a0b3a02b823862aec085454b

SHA512
5f7b18430aee1e18ecf32eec5d825f7473258a715143df64c19ed703e011a7cf9da40815c4e2b4ea8677c1e6b97dfe0fd74079eaedd102ec2f801776c851cb85

Download Submit
\Users\Admin\AppData\Local\Temp\rkF4alM9xO3IvYKF.exe
MD5
8725525b3969fc1c1e01f8ec7eab1ed9

SHA1
0672c99376928faba1db5add67833606e0d73529

SHA256
58004218b37d36f47da2c5946cac4693e9aea741a0b3a02b823862aec085454b

SHA512
5f7b18430aee1e18ecf32eec5d825f7473258a715143df64c19ed703e011a7cf9da40815c4e2b4ea8677c1e6b97dfe0fd74079eaedd102ec2f801776c851cb85

Download Submit
memory/108-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/108-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/108-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/108-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/108-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/108-69-0x000000000040AE9E-mapping.dmp

Download
memory/108-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/108-61-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/108-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/108-62-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/916-108-0x00000000025D2000-0x00000000025D4000-memory.dmp

Filesize
8KB

Download
memory/916-100-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/916-89-0x0000000000000000-mapping.dmp

Download
memory/916-107-0x00000000025D1000-0x00000000025D2000-memory.dmp

Filesize
4KB

Download
memory/920-111-0x00000000023A0000-0x0000000002FEA000-memory.dmp

Filesize
12.3MB

Download
memory/920-88-0x0000000000000000-mapping.dmp

Download
memory/920-110-0x00000000023A0000-0x0000000002FEA000-memory.dmp

Filesize
12.3MB

Download
memory/920-105-0x00000000023A0000-0x0000000002FEA000-memory.dmp

Filesize
12.3MB

Download
memory/1748-106-0x0000000000211000-0x0000000000212000-memory.dmp

Filesize
4KB

Download
memory/1748-109-0x0000000000212000-0x0000000000214000-memory.dmp

Filesize
8KB

Download
memory/1748-104-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1748-87-0x0000000000000000-mapping.dmp

Download
memory/1932-58-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/1932-55-0x00000000002D0000-0x000000000039A000-memory.dmp

Filesize
808KB

Download
memory/1932-57-0x0000000076511000-0x0000000076513000-memory.dmp

Filesize
8KB

Download
memory/1932-59-0x0000000002040000-0x000000000204C000-memory.dmp

Filesize
48KB

Download
memory/1932-56-0x00000000002D0000-0x000000000039A000-memory.dmp

Filesize
808KB

Download
memory/1932-60-0x0000000005D90000-0x0000000005E06000-memory.dmp

Filesize
472KB

Download
memory/1936-99-0x00000000007E2730-mapping.dmp

Download
memory/1936-96-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/1936-97-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/1936-95-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/1936-101-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/1936-94-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/1936-98-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/1936-103-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/1968-86-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1968-85-0x00000000004E0000-0x0000000000536000-memory.dmp

Filesize
344KB

Download
memory/1968-84-0x0000000006140000-0x000000000634A000-memory.dmp

Filesize
2.0MB

Download
memory/1968-82-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/1968-83-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/1968-81-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/1968-80-0x00000000002B0000-0x00000000004D6000-memory.dmp

Filesize
2.1MB

Download
memory/1968-77-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads