bitrat | b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e

General

Target

b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
Size

2.2MB
MD5

d97470fad1b553c3f0266a8a84e6fdc2
SHA1

d0612e51c71e54a9c03e8403877840997a604672
SHA256

b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e
SHA512

4da2d313010e502abb98058b23e7bfdd561c855c482065d75eadbdd49e16ea8792d4b7aa083a47e2ad5202bdb5b0a8b3ed95632cd3b8a3c60b3787bbbcaf05ad

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.35

C2

publiquilla.linkpc.net:9090

Attributes

communication_password
bfdba24ee3d61f0260c4dc1034c3ee43
install_dir
windowssecurirysercivehealth
install_file
windowssecurirysercive.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/608-125-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/608-126-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/608-127-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssecurirysercive = "C:\\Users\\Admin\\AppData\\Local\\windowssecurirysercivehealth\\windowssecurirysercive.exe"	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssecurirysercive = "C:\\Users\\Admin\\AppData\\Local\\windowssecurirysercivehealth\\windowssecurirysercive.exe挀"	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssecurirysercive = "C:\\Users\\Admin\\AppData\\Local\\windowssecurirysercivehealth\\windowssecurirysercive.exe猀"	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssecurirysercive = "C:\\Users\\Admin\\AppData\\Local\\windowssecurirysercivehealth\\windowssecurirysercive.exe\u2000"	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssecurirysercive = "C:\\Users\\Admin\\AppData\\Local\\windowssecurirysercivehealth\\windowssecurirysercive.exe저"	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

pid	process
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

description	pid	process	target process
PID 2352 set thread context of 608	2352	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

pid	process
2352	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
2352	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

Suspicious behavior: RenamesItself 9 IoCs

Processes:

b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

pid	process
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exeb8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

description	pid	process
Token: SeDebugPrivilege	2352	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
Token: SeShutdownPrivilege	608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

pid	process
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
608	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

description	pid	process	target process
PID 2352 wrote to memory of 1172	2352	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
PID 2352 wrote to memory of 1172	2352	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
PID 2352 wrote to memory of 1172	2352	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
PID 2352 wrote to memory of 608	2352	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
PID 2352 wrote to memory of 608	2352	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
PID 2352 wrote to memory of 608	2352	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
PID 2352 wrote to memory of 608	2352	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
PID 2352 wrote to memory of 608	2352	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
PID 2352 wrote to memory of 608	2352	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
PID 2352 wrote to memory of 608	2352	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe	b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe

C:\Users\Admin\AppData\Local\Temp\b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
"C:\Users\Admin\AppData\Local\Temp\b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\AppData\Local\Temp\b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
"C:\Users\Admin\AppData\Local\Temp\b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe"
2⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe
"C:\Users\Admin\AppData\Local\Temp\b8d1bac077990b3996eec50536cffceb32c25943fb0402ef358fc0eeb3083b5e.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/608-125-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/608-127-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/608-126-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2352-121-0x0000000004E40000-0x000000000533E000-memory.dmp

Filesize
5.0MB

Download
memory/2352-119-0x0000000002860000-0x000000000286A000-memory.dmp

Filesize
40KB

Download
memory/2352-120-0x0000000004F60000-0x0000000004FB6000-memory.dmp

Filesize
344KB

Download
memory/2352-115-0x0000000000260000-0x00000000004A6000-memory.dmp

Filesize
2.3MB

Download
memory/2352-122-0x0000000005130000-0x0000000005152000-memory.dmp

Filesize
136KB

Download
memory/2352-123-0x0000000006F30000-0x0000000007104000-memory.dmp

Filesize
1.8MB

Download
memory/2352-124-0x000000000A5B0000-0x000000000A732000-memory.dmp

Filesize
1.5MB

Download
memory/2352-118-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/2352-117-0x0000000005340000-0x000000000583E000-memory.dmp

Filesize
5.0MB

Download
memory/2352-116-0x0000000004CD0000-0x0000000004D6C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads