bitrat | 58004218b37d36f47da2c5946cac4693e9aea741a0b3a02b823862aec085454b

Analysis

max time kernel
122s
max time network
125s
platform
windows10_x64
resource
win10-en-20211208
submitted
06-01-2022 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.1.exe
Size

2.1MB
MD5

8725525b3969fc1c1e01f8ec7eab1ed9
SHA1

0672c99376928faba1db5add67833606e0d73529
SHA256

58004218b37d36f47da2c5946cac4693e9aea741a0b3a02b823862aec085454b
SHA512

5f7b18430aee1e18ecf32eec5d825f7473258a715143df64c19ed703e011a7cf9da40815c4e2b4ea8677c1e6b97dfe0fd74079eaedd102ec2f801776c851cb85

Score

10^/10

bitrat evasion persistence suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

severdops.ddns.net:3071

Attributes

communication_password
29ef52e7563626a96cea7f4b4085c124
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3200-166-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral2/memory/3200-172-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral2/memory/3200-180-0x0000000000400000-0x00000000007E5000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

2.1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	2.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	2.1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\SHININESSESAAC\svchost.exe = "0"	2.1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\2.1.exe = "0"	2.1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2.1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\TALISMANSCBF = "C:\\Windows\\Resources\\Themes\\SHININESSESAAC\\svchost.exe"	2.1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

vbc.exe

pid process

3200 vbc.exe
3200 vbc.exe
3200 vbc.exe
3200 vbc.exe
3200 vbc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

2.1.exe

description pid process target process

PID 2568 set thread context of 3200 2568 2.1.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

2.1.exe

description ioc process

File created C:\Windows\Resources\Themes\SHININESSESAAC\svchost.exe 2.1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3200	vbc.exe
3200	vbc.exe
3200	vbc.exe
3200	vbc.exe
3200	vbc.exe

description	pid	process	target process
PID 2568 set thread context of 3200	2568	2.1.exe	vbc.exe

description	ioc	process
File created	C:\Windows\Resources\Themes\SHININESSESAAC\svchost.exe	2.1.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

2.1.exepowershell.exepowershell.exepowershell.exe

pid	process
2568	2.1.exe
2568	2.1.exe
2568	2.1.exe
2568	2.1.exe
860	powershell.exe
4012	powershell.exe
1368	powershell.exe
4012	powershell.exe
860	powershell.exe
1368	powershell.exe
2568	2.1.exe
2568	2.1.exe
2568	2.1.exe
2568	2.1.exe
2568	2.1.exe
2568	2.1.exe
860	powershell.exe
4012	powershell.exe
1368	powershell.exe
2568	2.1.exe
2568	2.1.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

2.1.exepowershell.exepowershell.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2568	2.1.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeShutdownPrivilege	3200	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exe

pid process

3200 vbc.exe
3200 vbc.exe

pid	process
3200	vbc.exe
3200	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2.1.exe

description	pid	process	target process
PID 2568 wrote to memory of 4012	2568	2.1.exe	powershell.exe
PID 2568 wrote to memory of 4012	2568	2.1.exe	powershell.exe
PID 2568 wrote to memory of 4012	2568	2.1.exe	powershell.exe
PID 2568 wrote to memory of 1368	2568	2.1.exe	powershell.exe
PID 2568 wrote to memory of 1368	2568	2.1.exe	powershell.exe
PID 2568 wrote to memory of 1368	2568	2.1.exe	powershell.exe
PID 2568 wrote to memory of 860	2568	2.1.exe	powershell.exe
PID 2568 wrote to memory of 860	2568	2.1.exe	powershell.exe
PID 2568 wrote to memory of 860	2568	2.1.exe	powershell.exe
PID 2568 wrote to memory of 1224	2568	2.1.exe	aspnet_state.exe
PID 2568 wrote to memory of 1224	2568	2.1.exe	aspnet_state.exe
PID 2568 wrote to memory of 1224	2568	2.1.exe	aspnet_state.exe
PID 2568 wrote to memory of 3200	2568	2.1.exe	vbc.exe
PID 2568 wrote to memory of 3200	2568	2.1.exe	vbc.exe
PID 2568 wrote to memory of 3200	2568	2.1.exe	vbc.exe
PID 2568 wrote to memory of 3200	2568	2.1.exe	vbc.exe
PID 2568 wrote to memory of 3200	2568	2.1.exe	vbc.exe
PID 2568 wrote to memory of 3200	2568	2.1.exe	vbc.exe
PID 2568 wrote to memory of 3200	2568	2.1.exe	vbc.exe
PID 2568 wrote to memory of 3200	2568	2.1.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\2.1.exe
"C:\Users\Admin\AppData\Local\Temp\2.1.exe"
1⤵
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\SHININESSESAAC\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\SHININESSESAAC\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2.1.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
2⤵
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5b30ca403086a3e84e51492b2d0b50cc

SHA1
268d944c58cd47da32b0e20cec6b17106e865a28

SHA256
a4330eef13c4702e5286c9178e60fcc8837bee4c6e4ed2efe5d27f27b63a3992

SHA512
c6876af39ce3051f51ded1229fa7c4de9c48b679f44f328180b145715455bb50c3204fae1cf6ca18d7042138c4c076332dbd08232cb7907b553b598fd7b530ae

Download Submit
memory/860-161-0x0000000007D60000-0x0000000007DAB000-memory.dmp

Filesize
300KB

Download
memory/860-211-0x0000000009090000-0x00000000090C3000-memory.dmp

Filesize
204KB

Download
memory/860-214-0x0000000006D30000-0x0000000006D52000-memory.dmp

Filesize
136KB

Download
memory/860-208-0x0000000009090000-0x00000000090C3000-memory.dmp

Filesize
204KB

Download
memory/860-205-0x0000000007060000-0x0000000007688000-memory.dmp

Filesize
6.2MB

Download
memory/860-176-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/860-170-0x00000000080E0000-0x0000000008156000-memory.dmp

Filesize
472KB

Download
memory/860-160-0x0000000007870000-0x000000000788C000-memory.dmp

Filesize
112KB

Download
memory/860-137-0x00000000044F0000-0x0000000004526000-memory.dmp

Filesize
216KB

Download
memory/860-159-0x0000000007960000-0x0000000007CB0000-memory.dmp

Filesize
3.3MB

Download
memory/860-127-0x0000000000000000-mapping.dmp

Download
memory/860-155-0x0000000007700000-0x0000000007766000-memory.dmp

Filesize
408KB

Download
memory/860-153-0x0000000006FD0000-0x0000000007036000-memory.dmp

Filesize
408KB

Download
memory/860-148-0x0000000006D30000-0x0000000006D52000-memory.dmp

Filesize
136KB

Download
memory/860-133-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/860-136-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/860-134-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/860-140-0x00000000045F2000-0x00000000045F3000-memory.dmp

Filesize
4KB

Download
memory/860-146-0x0000000007060000-0x0000000007688000-memory.dmp

Filesize
6.2MB

Download
memory/1368-156-0x0000000008140000-0x00000000081A6000-memory.dmp

Filesize
408KB

Download
memory/1368-200-0x0000000007960000-0x0000000007F88000-memory.dmp

Filesize
6.2MB

Download
memory/1368-141-0x0000000004FA0000-0x0000000004FD6000-memory.dmp

Filesize
216KB

Download
memory/1368-162-0x0000000008660000-0x000000000867C000-memory.dmp

Filesize
112KB

Download
memory/1368-164-0x0000000008CB0000-0x0000000008CFB000-memory.dmp

Filesize
300KB

Download
memory/1368-144-0x0000000007960000-0x0000000007F88000-memory.dmp

Filesize
6.2MB

Download
memory/1368-204-0x0000000009B50000-0x0000000009B83000-memory.dmp

Filesize
204KB

Download
memory/1368-129-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1368-174-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1368-173-0x0000000008A60000-0x0000000008AD6000-memory.dmp

Filesize
472KB

Download
memory/1368-138-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/1368-147-0x0000000004F92000-0x0000000004F93000-memory.dmp

Filesize
4KB

Download
memory/1368-202-0x0000000009B50000-0x0000000009B83000-memory.dmp

Filesize
204KB

Download
memory/1368-132-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1368-149-0x00000000078C0000-0x00000000078E2000-memory.dmp

Filesize
136KB

Download
memory/1368-151-0x0000000008090000-0x00000000080F6000-memory.dmp

Filesize
408KB

Download
memory/1368-213-0x0000000008140000-0x00000000081A6000-memory.dmp

Filesize
408KB

Download
memory/1368-210-0x0000000008090000-0x00000000080F6000-memory.dmp

Filesize
408KB

Download
memory/1368-207-0x00000000078C0000-0x00000000078E2000-memory.dmp

Filesize
136KB

Download
memory/1368-126-0x0000000000000000-mapping.dmp

Download
memory/1368-157-0x00000000082E0000-0x0000000008630000-memory.dmp

Filesize
3.3MB

Download
memory/2568-120-0x0000000002700000-0x0000000002708000-memory.dmp

Filesize
32KB

Download
memory/2568-115-0x0000000000100000-0x0000000000326000-memory.dmp

Filesize
2.1MB

Download
memory/2568-121-0x0000000005FB0000-0x00000000061BA000-memory.dmp

Filesize
2.0MB

Download
memory/2568-119-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2568-131-0x0000000007630000-0x00000000076C2000-memory.dmp

Filesize
584KB

Download
memory/2568-124-0x0000000007980000-0x0000000007E7E000-memory.dmp

Filesize
5.0MB

Download
memory/2568-118-0x0000000000C20000-0x0000000000C28000-memory.dmp

Filesize
32KB

Download
memory/2568-117-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/2568-143-0x00000000075F0000-0x00000000075FA000-memory.dmp

Filesize
40KB

Download
memory/2568-122-0x0000000004C50000-0x0000000004CA6000-memory.dmp

Filesize
344KB

Download
memory/2568-116-0x0000000004CE0000-0x0000000004D7C000-memory.dmp

Filesize
624KB

Download
memory/2568-123-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/3200-168-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/3200-180-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/3200-172-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/3200-169-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/3200-167-0x00000000007E2730-mapping.dmp

Download
memory/3200-166-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/4012-128-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/4012-152-0x00000000077C0000-0x0000000007826000-memory.dmp

Filesize
408KB

Download
memory/4012-175-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/4012-199-0x0000000007090000-0x00000000076B8000-memory.dmp

Filesize
6.2MB

Download
memory/4012-163-0x00000000078E0000-0x00000000078FC000-memory.dmp

Filesize
112KB

Download
memory/4012-125-0x0000000000000000-mapping.dmp

Download
memory/4012-203-0x0000000009000000-0x0000000009033000-memory.dmp

Filesize
204KB

Download
memory/4012-158-0x0000000007A10000-0x0000000007D60000-memory.dmp

Filesize
3.3MB

Download
memory/4012-154-0x0000000007830000-0x0000000007896000-memory.dmp

Filesize
408KB

Download
memory/4012-171-0x0000000008130000-0x00000000081A6000-memory.dmp

Filesize
472KB

Download
memory/4012-206-0x0000000006FA0000-0x0000000006FC2000-memory.dmp

Filesize
136KB

Download
memory/4012-165-0x0000000008350000-0x000000000839B000-memory.dmp

Filesize
300KB

Download
memory/4012-212-0x0000000007830000-0x0000000007896000-memory.dmp

Filesize
408KB

Download
memory/4012-216-0x0000000008350000-0x000000000839B000-memory.dmp

Filesize
300KB

Download
memory/4012-130-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/4012-215-0x000000007F6B0000-0x000000007F6B1000-memory.dmp

Filesize
4KB

Download
memory/4012-150-0x0000000006FA0000-0x0000000006FC2000-memory.dmp

Filesize
136KB

Download
memory/4012-209-0x00000000077C0000-0x0000000007826000-memory.dmp

Filesize
408KB

Download
memory/4012-139-0x00000000069D0000-0x0000000006A06000-memory.dmp

Filesize
216KB

Download
memory/4012-135-0x0000000006A50000-0x0000000006A51000-memory.dmp

Filesize
4KB

Download
memory/4012-201-0x0000000009000000-0x0000000009033000-memory.dmp

Filesize
204KB

Download
memory/4012-142-0x0000000007090000-0x00000000076B8000-memory.dmp

Filesize
6.2MB

Download
memory/4012-145-0x0000000006A52000-0x0000000006A53000-memory.dmp

Filesize
4KB

Download