bitrat | 973926297abfda903b9b6ef303f7b0b6c7eddb184f9f26563a5adea43915ce8d

General

Target

e-transfer.exe
Size

300.0MB
MD5

affebb601f181b9c290753caae06050a
SHA1

64942ee5d84b1a2262d02a1dd0ae1aa6e8b66486
SHA256

e2ce88575e964545d834e0bae841ec554b02fa4a290e645e19cb7556123bb49e
SHA512

3870beafddb9972863a2b0d74eeded9bd21eb3b8c13563808754927ce3a29579adad56e7eb3bc37b4777cb16caea0d9d5d233b01432aa42fe0c5ecafc3c025b2

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

yakbitpeople.duckdns.org:9175

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

YAKBITT.exe

pid process

1156 YAKBITT.exe

pid	process
1156	YAKBITT.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1048-58-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1048-59-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1048-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1048-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1048-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

RegAsm.exe

pid process

1048 RegAsm.exe
1048 RegAsm.exe
1048 RegAsm.exe
1048 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

e-transfer.exe

description pid process target process

PID 756 set thread context of 1048 756 e-transfer.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1656 schtasks.exe

pid	process
1048	RegAsm.exe
1048	RegAsm.exe
1048	RegAsm.exe
1048	RegAsm.exe

description	pid	process	target process
PID 756 set thread context of 1048	756	e-transfer.exe	RegAsm.exe

pid	process
1656	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

e-transfer.exeRegAsm.exeYAKBITT.exe

description	pid	process
Token: SeDebugPrivilege	756	e-transfer.exe
Token: SeDebugPrivilege	1048	RegAsm.exe
Token: SeShutdownPrivilege	1048	RegAsm.exe
Token: SeDebugPrivilege	1156	YAKBITT.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

1048 RegAsm.exe
1048 RegAsm.exe

pid	process
1048	RegAsm.exe
1048	RegAsm.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

e-transfer.execmd.exetaskeng.exe

description	pid	process	target process
PID 756 wrote to memory of 1048	756	e-transfer.exe	RegAsm.exe
PID 756 wrote to memory of 1048	756	e-transfer.exe	RegAsm.exe
PID 756 wrote to memory of 1048	756	e-transfer.exe	RegAsm.exe
PID 756 wrote to memory of 1048	756	e-transfer.exe	RegAsm.exe
PID 756 wrote to memory of 1048	756	e-transfer.exe	RegAsm.exe
PID 756 wrote to memory of 1048	756	e-transfer.exe	RegAsm.exe
PID 756 wrote to memory of 1048	756	e-transfer.exe	RegAsm.exe
PID 756 wrote to memory of 1048	756	e-transfer.exe	RegAsm.exe
PID 756 wrote to memory of 1048	756	e-transfer.exe	RegAsm.exe
PID 756 wrote to memory of 1048	756	e-transfer.exe	RegAsm.exe
PID 756 wrote to memory of 1048	756	e-transfer.exe	RegAsm.exe
PID 756 wrote to memory of 1360	756	e-transfer.exe	cmd.exe
PID 756 wrote to memory of 1360	756	e-transfer.exe	cmd.exe
PID 756 wrote to memory of 1360	756	e-transfer.exe	cmd.exe
PID 756 wrote to memory of 1360	756	e-transfer.exe	cmd.exe
PID 756 wrote to memory of 1520	756	e-transfer.exe	cmd.exe
PID 756 wrote to memory of 1520	756	e-transfer.exe	cmd.exe
PID 756 wrote to memory of 1520	756	e-transfer.exe	cmd.exe
PID 756 wrote to memory of 1520	756	e-transfer.exe	cmd.exe
PID 756 wrote to memory of 1524	756	e-transfer.exe	cmd.exe
PID 756 wrote to memory of 1524	756	e-transfer.exe	cmd.exe
PID 756 wrote to memory of 1524	756	e-transfer.exe	cmd.exe
PID 756 wrote to memory of 1524	756	e-transfer.exe	cmd.exe
PID 1520 wrote to memory of 1656	1520	cmd.exe	schtasks.exe
PID 1520 wrote to memory of 1656	1520	cmd.exe	schtasks.exe
PID 1520 wrote to memory of 1656	1520	cmd.exe	schtasks.exe
PID 1520 wrote to memory of 1656	1520	cmd.exe	schtasks.exe
PID 920 wrote to memory of 1156	920	taskeng.exe	YAKBITT.exe
PID 920 wrote to memory of 1156	920	taskeng.exe	YAKBITT.exe
PID 920 wrote to memory of 1156	920	taskeng.exe	YAKBITT.exe
PID 920 wrote to memory of 1156	920	taskeng.exe	YAKBITT.exe

C:\Users\Admin\AppData\Local\Temp\e-transfer.exe
"C:\Users\Admin\AppData\Local\Temp\e-transfer.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\YAKBITT"
2⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\e-transfer.exe" "C:\Users\Admin\AppData\Roaming\YAKBITT\YAKBITT.exe"
2⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\YAKBITT\YAKBITT.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\YAKBITT\YAKBITT.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\taskeng.exe
taskeng.exe {2C5B70F8-9C5B-445B-849B-420A9EE9AFE3} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Roaming\YAKBITT\YAKBITT.exe
C:\Users\Admin\AppData\Roaming\YAKBITT\YAKBITT.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\YAKBITT\YAKBITT.exe
MD5
a296755b6dece5001cf747f60dde2f8e

SHA1
12a902928d6d576a404705baf805e2a363be16ec

SHA256
952d78d8c54ea8ef32060e75b8d82f2b7fd51bb04fa03f487f0ea27b3cfb6846

SHA512
c8f5827cec5378ffcfd9cc8bf92a4b221f407f759dc1b7ed6c86af9b8aafd83b9335fddc724809cd5c9fdf3827559f0a1a6168b1a2bf4ff58027fddd462dede0

Download Submit
C:\Users\Admin\AppData\Roaming\YAKBITT\YAKBITT.exe
MD5
4a07970473cdd867c79ce761b775319a

SHA1
cacfed6ce510099362e25df9007984026e003e2e

SHA256
7df65bf2949eae6fa3a516f27392ec0ed528656fe745f505a9a562b5895ba163

SHA512
45f87305a57516ee5ea99b40d625baf202350bf08c056448767132f1635954cb9c10e508ab8c9d3a34df2790443074fbc351cad13f90ffd6cf88996b103a8e26

Download Submit
memory/756-54-0x0000000001030000-0x0000000001240000-memory.dmp

Filesize
2.1MB

Download
memory/756-55-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/756-56-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/1048-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1048-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1048-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1048-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1048-64-0x0000000000401000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1048-58-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1048-57-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1156-67-0x0000000000890000-0x0000000000AA0000-memory.dmp

Filesize
2.1MB

Download
memory/1156-68-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads