bitrat | 263b305d6a17491a0dd9dd32c5e56536263326e716e0474a132c1d8f8cc0878d

General

Target

Bon de commande.exe
Size

26KB
MD5

00286c04e7817a33d830719ef9afda61
SHA1

3e59b07e3aa255dc4086c9c631d814ac201e9951
SHA256

263b305d6a17491a0dd9dd32c5e56536263326e716e0474a132c1d8f8cc0878d
SHA512

917d83abba42301eabf3e5bdc7450300150925955cc2b6ddb40b28338c2014ec30c234fad245bc19f5d5345f5ad5de55e0a738e7bb9fa96b765117c3410a8612

Score

10^/10

bitrat persistence suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

severdops.ddns.net:3071

Attributes

communication_password
29ef52e7563626a96cea7f4b4085c124
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1720-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1720-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1720-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1720-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1720-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Bon de commande.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windowexe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Demo\\Windowexe.exe\""	Bon de commande.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Bon de commande.exe

pid process

1720 Bon de commande.exe
1720 Bon de commande.exe
1720 Bon de commande.exe
1720 Bon de commande.exe
1720 Bon de commande.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Bon de commande.exe

description pid process target process

PID 1100 set thread context of 1720 1100 Bon de commande.exe Bon de commande.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1720	Bon de commande.exe
1720	Bon de commande.exe
1720	Bon de commande.exe
1720	Bon de commande.exe
1720	Bon de commande.exe

description	pid	process	target process
PID 1100 set thread context of 1720	1100	Bon de commande.exe	Bon de commande.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2040	PING.EXE
604	PING.EXE
1956	PING.EXE
896	PING.EXE
1080	PING.EXE
936	PING.EXE
1488	PING.EXE
588	PING.EXE
1652	PING.EXE
560	PING.EXE
1716	PING.EXE
1412	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Bon de commande.exe

pid process

1100 Bon de commande.exe

pid	process
1100	Bon de commande.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Bon de commande.exeBon de commande.exe

description	pid	process
Token: SeDebugPrivilege	1100	Bon de commande.exe
Token: SeDebugPrivilege	1720	Bon de commande.exe
Token: SeShutdownPrivilege	1720	Bon de commande.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Bon de commande.exe

pid process

1720 Bon de commande.exe
1720 Bon de commande.exe

pid	process
1720	Bon de commande.exe
1720	Bon de commande.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Bon de commande.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1100 wrote to memory of 472	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 472	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 472	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 472	1100	Bon de commande.exe	cmd.exe
PID 472 wrote to memory of 560	472	cmd.exe	PING.EXE
PID 472 wrote to memory of 560	472	cmd.exe	PING.EXE
PID 472 wrote to memory of 560	472	cmd.exe	PING.EXE
PID 472 wrote to memory of 560	472	cmd.exe	PING.EXE
PID 1100 wrote to memory of 1568	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1568	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1568	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1568	1100	Bon de commande.exe	cmd.exe
PID 1568 wrote to memory of 604	1568	cmd.exe	PING.EXE
PID 1568 wrote to memory of 604	1568	cmd.exe	PING.EXE
PID 1568 wrote to memory of 604	1568	cmd.exe	PING.EXE
PID 1568 wrote to memory of 604	1568	cmd.exe	PING.EXE
PID 1100 wrote to memory of 1984	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1984	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1984	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1984	1100	Bon de commande.exe	cmd.exe
PID 1984 wrote to memory of 1956	1984	cmd.exe	PING.EXE
PID 1984 wrote to memory of 1956	1984	cmd.exe	PING.EXE
PID 1984 wrote to memory of 1956	1984	cmd.exe	PING.EXE
PID 1984 wrote to memory of 1956	1984	cmd.exe	PING.EXE
PID 1100 wrote to memory of 2020	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 2020	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 2020	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 2020	1100	Bon de commande.exe	cmd.exe
PID 2020 wrote to memory of 1716	2020	cmd.exe	PING.EXE
PID 2020 wrote to memory of 1716	2020	cmd.exe	PING.EXE
PID 2020 wrote to memory of 1716	2020	cmd.exe	PING.EXE
PID 2020 wrote to memory of 1716	2020	cmd.exe	PING.EXE
PID 1100 wrote to memory of 1632	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1632	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1632	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1632	1100	Bon de commande.exe	cmd.exe
PID 1632 wrote to memory of 1412	1632	cmd.exe	PING.EXE
PID 1632 wrote to memory of 1412	1632	cmd.exe	PING.EXE
PID 1632 wrote to memory of 1412	1632	cmd.exe	PING.EXE
PID 1632 wrote to memory of 1412	1632	cmd.exe	PING.EXE
PID 1100 wrote to memory of 1644	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1644	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1644	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1644	1100	Bon de commande.exe	cmd.exe
PID 1644 wrote to memory of 1080	1644	cmd.exe	PING.EXE
PID 1644 wrote to memory of 1080	1644	cmd.exe	PING.EXE
PID 1644 wrote to memory of 1080	1644	cmd.exe	PING.EXE
PID 1644 wrote to memory of 1080	1644	cmd.exe	PING.EXE
PID 1100 wrote to memory of 1456	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1456	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1456	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1456	1100	Bon de commande.exe	cmd.exe
PID 1456 wrote to memory of 936	1456	cmd.exe	PING.EXE
PID 1456 wrote to memory of 936	1456	cmd.exe	PING.EXE
PID 1456 wrote to memory of 936	1456	cmd.exe	PING.EXE
PID 1456 wrote to memory of 936	1456	cmd.exe	PING.EXE
PID 1100 wrote to memory of 1176	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1176	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1176	1100	Bon de commande.exe	cmd.exe
PID 1100 wrote to memory of 1176	1100	Bon de commande.exe	cmd.exe
PID 1176 wrote to memory of 1488	1176	cmd.exe	PING.EXE
PID 1176 wrote to memory of 1488	1176	cmd.exe	PING.EXE
PID 1176 wrote to memory of 1488	1176	cmd.exe	PING.EXE
PID 1176 wrote to memory of 1488	1176	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe
"C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
2⤵
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
3⤵
- Runs ping.exe
PID:604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
3⤵
- Runs ping.exe
PID:1956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:1716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
3⤵
- Runs ping.exe
PID:1412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
3⤵
- Runs ping.exe
PID:1080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
3⤵
- Runs ping.exe
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
2⤵
PID:1108

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
3⤵
- Runs ping.exe
PID:588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
2⤵
PID:1104

C:\Windows\SysWOW64\PING.EXE
ping google.com
3⤵
- Runs ping.exe
PID:896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
2⤵
PID:1092

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
3⤵
- Runs ping.exe
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
2⤵
PID:1972

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
3⤵
- Runs ping.exe
PID:1652

C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe
"C:\Users\Admin\AppData\Local\Temp\Bon de commande.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1100-55-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/1100-56-0x0000000075421000-0x0000000075423000-memory.dmp

Filesize
8KB

Download
memory/1100-57-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/1100-58-0x0000000006280000-0x000000000642E000-memory.dmp

Filesize
1.7MB

Download
memory/1100-59-0x0000000007430000-0x00000000075C6000-memory.dmp

Filesize
1.6MB

Download
memory/1100-60-0x0000000004B00000-0x0000000004B4C000-memory.dmp

Filesize
304KB

Download
memory/1720-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-68-0x0000000000401000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads