bitrat | bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45

General

Target

9401cf9f73dfb187bf4cef05d8cfe72b.exe
Size

2.2MB
MD5

9401cf9f73dfb187bf4cef05d8cfe72b
SHA1

4af6544d8c94bb673f826a0ba4d24698150b1089
SHA256

bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45
SHA512

8438c79aa1ac9779bdab11a3f46f174aad97a7bc2fd1f571d42ef8817dc8477b68468be7445c789d125c1b8749338e047e20301d0a11b9e52dacf947abb65dd4

Score

10^/10

bitrat evasion persistence suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

severdops.ddns.net:3071

Attributes

communication_password
29ef52e7563626a96cea7f4b4085c124
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/980-72-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral1/memory/980-73-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral1/memory/980-74-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral1/memory/980-75-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral1/memory/980-79-0x0000000000400000-0x00000000007E5000-memory.dmp	upx
behavioral1/memory/980-81-0x0000000000400000-0x00000000007E5000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9401cf9f73dfb187bf4cef05d8cfe72b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9401cf9f73dfb187bf4cef05d8cfe72b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9401cf9f73dfb187bf4cef05d8cfe72b.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

9401cf9f73dfb187bf4cef05d8cfe72b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	9401cf9f73dfb187bf4cef05d8cfe72b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	9401cf9f73dfb187bf4cef05d8cfe72b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\TATTOOISTSEAB\svchost.exe = "0"	9401cf9f73dfb187bf4cef05d8cfe72b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\9401cf9f73dfb187bf4cef05d8cfe72b.exe = "0"	9401cf9f73dfb187bf4cef05d8cfe72b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9401cf9f73dfb187bf4cef05d8cfe72b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WAISTERSFDC = "C:\\Users\\Public\\Documents\\TATTOOISTSEAB\\svchost.exe"	9401cf9f73dfb187bf4cef05d8cfe72b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAISTERSFDC = "C:\\Users\\Public\\Documents\\TATTOOISTSEAB\\svchost.exe"	9401cf9f73dfb187bf4cef05d8cfe72b.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9401cf9f73dfb187bf4cef05d8cfe72b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	9401cf9f73dfb187bf4cef05d8cfe72b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	9401cf9f73dfb187bf4cef05d8cfe72b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

aspnet_wp.exe

pid process

980 aspnet_wp.exe
980 aspnet_wp.exe
980 aspnet_wp.exe
980 aspnet_wp.exe
980 aspnet_wp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

9401cf9f73dfb187bf4cef05d8cfe72b.exe

description pid process target process

PID 1636 set thread context of 980 1636 9401cf9f73dfb187bf4cef05d8cfe72b.exe aspnet_wp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
980	aspnet_wp.exe
980	aspnet_wp.exe
980	aspnet_wp.exe
980	aspnet_wp.exe
980	aspnet_wp.exe

description	pid	process	target process
PID 1636 set thread context of 980	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	aspnet_wp.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

9401cf9f73dfb187bf4cef05d8cfe72b.exepowershell.exepowershell.exepowershell.exe

pid	process
1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe
1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe
1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe
1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe
1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe
1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe
1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe
1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe
400	powershell.exe
1396	powershell.exe
840	powershell.exe
1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe
1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

9401cf9f73dfb187bf4cef05d8cfe72b.exepowershell.exepowershell.exepowershell.exeaspnet_wp.exe

description	pid	process
Token: SeDebugPrivilege	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	980	aspnet_wp.exe
Token: SeShutdownPrivilege	980	aspnet_wp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

aspnet_wp.exe

pid process

980 aspnet_wp.exe
980 aspnet_wp.exe

pid	process
980	aspnet_wp.exe
980	aspnet_wp.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

9401cf9f73dfb187bf4cef05d8cfe72b.exe

description	pid	process	target process
PID 1636 wrote to memory of 840	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	powershell.exe
PID 1636 wrote to memory of 840	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	powershell.exe
PID 1636 wrote to memory of 840	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	powershell.exe
PID 1636 wrote to memory of 840	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	powershell.exe
PID 1636 wrote to memory of 1396	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	powershell.exe
PID 1636 wrote to memory of 1396	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	powershell.exe
PID 1636 wrote to memory of 1396	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	powershell.exe
PID 1636 wrote to memory of 1396	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	powershell.exe
PID 1636 wrote to memory of 400	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	powershell.exe
PID 1636 wrote to memory of 400	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	powershell.exe
PID 1636 wrote to memory of 400	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	powershell.exe
PID 1636 wrote to memory of 400	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	powershell.exe
PID 1636 wrote to memory of 1580	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	aspnet_state.exe
PID 1636 wrote to memory of 1580	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	aspnet_state.exe
PID 1636 wrote to memory of 1580	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	aspnet_state.exe
PID 1636 wrote to memory of 1580	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	aspnet_state.exe
PID 1636 wrote to memory of 980	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	aspnet_wp.exe
PID 1636 wrote to memory of 980	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	aspnet_wp.exe
PID 1636 wrote to memory of 980	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	aspnet_wp.exe
PID 1636 wrote to memory of 980	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	aspnet_wp.exe
PID 1636 wrote to memory of 980	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	aspnet_wp.exe
PID 1636 wrote to memory of 980	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	aspnet_wp.exe
PID 1636 wrote to memory of 980	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	aspnet_wp.exe
PID 1636 wrote to memory of 980	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	aspnet_wp.exe
PID 1636 wrote to memory of 980	1636	9401cf9f73dfb187bf4cef05d8cfe72b.exe	aspnet_wp.exe

C:\Users\Admin\AppData\Local\Temp\9401cf9f73dfb187bf4cef05d8cfe72b.exe
"C:\Users\Admin\AppData\Local\Temp\9401cf9f73dfb187bf4cef05d8cfe72b.exe"
1⤵
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\TATTOOISTSEAB\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\TATTOOISTSEAB\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9401cf9f73dfb187bf4cef05d8cfe72b.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
2⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
2aa07dcfa3a8ed243e15733dd2a5ad25

SHA1
3a595f0eb570341e61f7914f97077ae321d3a900

SHA256
154b0852c9fa45e9de60bc793fc059d22af5a4ad307ec16bce069035cae7e304

SHA512
a324103b2fcada038580dd2221813a27cfa71a60dca69f19c2fff97c1678be0a32e3d96f34b5f5bf5114ace8b6b6bdd81bbca98574e1cf980707a98f6b0086f8

Download Submit
memory/400-63-0x0000000000000000-mapping.dmp

Download
memory/400-84-0x00000000022A2000-0x00000000022A4000-memory.dmp

Filesize
8KB

Download
memory/400-78-0x00000000022A1000-0x00000000022A2000-memory.dmp

Filesize
4KB

Download
memory/400-69-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/840-70-0x00000000024C0000-0x000000000310A000-memory.dmp

Filesize
12.3MB

Download
memory/840-64-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/840-61-0x0000000000000000-mapping.dmp

Download
memory/840-85-0x00000000024C0000-0x000000000310A000-memory.dmp

Filesize
12.3MB

Download
memory/840-83-0x00000000024C0000-0x000000000310A000-memory.dmp

Filesize
12.3MB

Download
memory/980-79-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/980-75-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/980-81-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/980-76-0x00000000007E2730-mapping.dmp

Download
memory/980-74-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/980-71-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/980-72-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/980-73-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/1396-77-0x0000000002011000-0x0000000002012000-memory.dmp

Filesize
4KB

Download
memory/1396-68-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1396-82-0x0000000002012000-0x0000000002014000-memory.dmp

Filesize
8KB

Download
memory/1396-62-0x0000000000000000-mapping.dmp

Download
memory/1636-54-0x0000000000200000-0x000000000043C000-memory.dmp

Filesize
2.2MB

Download
memory/1636-58-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1636-56-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/1636-60-0x0000000000950000-0x00000000009E4000-memory.dmp

Filesize
592KB

Download
memory/1636-57-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/1636-59-0x0000000006030000-0x000000000623C000-memory.dmp

Filesize
2.0MB

Download
memory/1636-55-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads