bitrat | cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9

General

Target

cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe
Size

1.9MB
MD5

a65b75567794b4d9f2558c672bd07dd5
SHA1

e217c9fde4b32680a11adf2200e673519f595bd3
SHA256

cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9
SHA512

4388fc585cd542df150f427b2d7b4bea03de0cd51ce634dea5935215582990b55546f3e39ae172a6c142b0b96d83a659a6b14a336a622978c5d0a9de23062ccb

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

severdops.ddns.net:3071

Attributes

communication_password
29ef52e7563626a96cea7f4b4085c124
install_dir
msWORLD
install_file
excel.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2760-120-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2760-122-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2760-123-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aspnet_compiler.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\excel = "C:\\Users\\Admin\\AppData\\Local\\msWORLD\\excel.exe\uff00"	aspnet_compiler.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

aspnet_compiler.exe

pid process

2760 aspnet_compiler.exe
2760 aspnet_compiler.exe
2760 aspnet_compiler.exe
2760 aspnet_compiler.exe
2760 aspnet_compiler.exe

pid	process
2760	aspnet_compiler.exe
2760	aspnet_compiler.exe
2760	aspnet_compiler.exe
2760	aspnet_compiler.exe
2760	aspnet_compiler.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe

description	pid	process	target process
PID 2340 set thread context of 2760	2340	cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	2340	cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe
Token: SeShutdownPrivilege	2760	aspnet_compiler.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

aspnet_compiler.exe

pid process

2760 aspnet_compiler.exe
2760 aspnet_compiler.exe

pid	process
2760	aspnet_compiler.exe
2760	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe

description	pid	process	target process
PID 2340 wrote to memory of 2760	2340	cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe	aspnet_compiler.exe
PID 2340 wrote to memory of 2760	2340	cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe	aspnet_compiler.exe
PID 2340 wrote to memory of 2760	2340	cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe	aspnet_compiler.exe
PID 2340 wrote to memory of 2760	2340	cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe	aspnet_compiler.exe
PID 2340 wrote to memory of 2760	2340	cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe	aspnet_compiler.exe
PID 2340 wrote to memory of 2760	2340	cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe	aspnet_compiler.exe
PID 2340 wrote to memory of 2760	2340	cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe
"C:\Users\Admin\AppData\Local\Temp\cc7d7321cd0e93fb312ea39c0124256fa60b3335cd6632ec0e83ffb4bf2b3dc9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2340-115-0x00000000008F0000-0x0000000000AE2000-memory.dmp

Filesize
1.9MB

Download
memory/2340-116-0x00000000008F0000-0x0000000000AE2000-memory.dmp

Filesize
1.9MB

Download
memory/2340-117-0x000000001B820000-0x000000001B822000-memory.dmp

Filesize
8KB

Download
memory/2340-118-0x000000001B830000-0x000000001BA1E000-memory.dmp

Filesize
1.9MB

Download
memory/2340-119-0x0000000000F10000-0x0000000000F1E000-memory.dmp

Filesize
56KB

Download
memory/2760-120-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2760-121-0x00000000007E2750-mapping.dmp

Download
memory/2760-122-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2760-123-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads