bitrat | 3368c73256020d0096f04966c0e7443d1d6d2337c080c370fd7ceb8f1fcf3314

General

Target

F6SNA4S9KD7_ETRANSFER_RECEIPT.exe
Size

300.0MB
MD5

57b653c941b2f756f705dc40d5abf80e
SHA1

c0c0101c1b2a523e6baf7964ba94e733fae77c32
SHA256

deacd98df57ca5cab910cab1fba939fd02eab616cb70993fd5eae81c6547cda0
SHA512

be671100021853d8932b48dcda89e63a79832d7ff030527e69cee5076b8d247c206a12707330698d8781ea7a43f5758323f6f4a9627389e98be41ce029ef717f

Score

10^/10

bitrat suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata
Executes dropped EXE 2 IoCs

Processes:

AVBJO.exeAVBJO.exe

pid process

212 AVBJO.exe
2700 AVBJO.exe

pid	process
212	AVBJO.exe
2700	AVBJO.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/848-139-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx
behavioral4/memory/848-140-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx
behavioral4/memory/3024-148-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral4/memory/3024-150-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral4/memory/3024-151-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral4/memory/3024-153-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral4/memory/3024-154-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral4/memory/3024-157-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegAsm.exe

pid process

3024 RegAsm.exe
3024 RegAsm.exe
3024 RegAsm.exe
3024 RegAsm.exe
3024 RegAsm.exe

pid	process
3024	RegAsm.exe
3024	RegAsm.exe
3024	RegAsm.exe
3024	RegAsm.exe
3024	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

F6SNA4S9KD7_ETRANSFER_RECEIPT.exeAVBJO.exe

description	pid	process	target process
PID 2388 set thread context of 848	2388	F6SNA4S9KD7_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 212 set thread context of 3024	212	AVBJO.exe	RegAsm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3568 848 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

444 schtasks.exe
3088 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeShutdownPrivilege 3024 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

3024 RegAsm.exe
3024 RegAsm.exe

pid	pid_target	process	target process
3568	848	WerFault.exe	RegAsm.exe

pid	process
444	schtasks.exe
3088	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	3024	RegAsm.exe

pid	process
3024	RegAsm.exe
3024	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

F6SNA4S9KD7_ETRANSFER_RECEIPT.execmd.exeAVBJO.execmd.exe

description	pid	process	target process
PID 2388 wrote to memory of 2088	2388	F6SNA4S9KD7_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2388 wrote to memory of 2088	2388	F6SNA4S9KD7_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2088 wrote to memory of 444	2088	cmd.exe	schtasks.exe
PID 2088 wrote to memory of 444	2088	cmd.exe	schtasks.exe
PID 2388 wrote to memory of 4372	2388	F6SNA4S9KD7_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2388 wrote to memory of 4372	2388	F6SNA4S9KD7_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2388 wrote to memory of 848	2388	F6SNA4S9KD7_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 2388 wrote to memory of 848	2388	F6SNA4S9KD7_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 2388 wrote to memory of 848	2388	F6SNA4S9KD7_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 2388 wrote to memory of 848	2388	F6SNA4S9KD7_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 2388 wrote to memory of 848	2388	F6SNA4S9KD7_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 2388 wrote to memory of 848	2388	F6SNA4S9KD7_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 2388 wrote to memory of 848	2388	F6SNA4S9KD7_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 212 wrote to memory of 2276	212	AVBJO.exe	cmd.exe
PID 212 wrote to memory of 2276	212	AVBJO.exe	cmd.exe
PID 2276 wrote to memory of 3088	2276	cmd.exe	schtasks.exe
PID 2276 wrote to memory of 3088	2276	cmd.exe	schtasks.exe
PID 212 wrote to memory of 992	212	AVBJO.exe	cmd.exe
PID 212 wrote to memory of 992	212	AVBJO.exe	cmd.exe
PID 212 wrote to memory of 3024	212	AVBJO.exe	RegAsm.exe
PID 212 wrote to memory of 3024	212	AVBJO.exe	RegAsm.exe
PID 212 wrote to memory of 3024	212	AVBJO.exe	RegAsm.exe
PID 212 wrote to memory of 3024	212	AVBJO.exe	RegAsm.exe
PID 212 wrote to memory of 3024	212	AVBJO.exe	RegAsm.exe
PID 212 wrote to memory of 3024	212	AVBJO.exe	RegAsm.exe
PID 212 wrote to memory of 3024	212	AVBJO.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\F6SNA4S9KD7_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\F6SNA4S9KD7_ETRANSFER_RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\AVBJO.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\AVBJO.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:444
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\F6SNA4S9KD7_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\AVBJO.exe"
  2⤵
  PID:4372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 540
    3⤵
    - Program crash
    PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 848 -ip 848
1⤵
PID:2484

C:\Users\Admin\AppData\Roaming\AVBJO.exe
C:\Users\Admin\AppData\Roaming\AVBJO.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\AVBJO.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\AVBJO.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3088
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AVBJO.exe" "C:\Users\Admin\AppData\Roaming\AVBJO.exe"
  2⤵
  PID:992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3024

C:\Users\Admin\AppData\Roaming\AVBJO.exe
C:\Users\Admin\AppData\Roaming\AVBJO.exe
1⤵
- Executes dropped EXE
PID:2700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AVBJO.exe.log

Filesize
859B

MD5
6e11a15fe4491ead2a94f64d3467be38

SHA1
9a8329fb71ddc89dae9aa174c0b44a1f646efd63

SHA256
087cf6355ae9fc71eea2493b30c6b10a6775f3dd68b2cb5e07fcc13461b74248

SHA512
6154e320e2556aef177fc5bfb4e5fe8fabe324af736b89db4db41e6dd51658f7f6a7d0f73c24dc6ccdc4edf14023f4a1ecd0908abac5b82cebd038a93b2fc106

Download Submit
C:\Users\Admin\AppData\Roaming\AVBJO.exe

Filesize
300.0MB

MD5
57b653c941b2f756f705dc40d5abf80e

SHA1
c0c0101c1b2a523e6baf7964ba94e733fae77c32

SHA256
deacd98df57ca5cab910cab1fba939fd02eab616cb70993fd5eae81c6547cda0

SHA512
be671100021853d8932b48dcda89e63a79832d7ff030527e69cee5076b8d247c206a12707330698d8781ea7a43f5758323f6f4a9627389e98be41ce029ef717f

Download Submit
C:\Users\Admin\AppData\Roaming\AVBJO.exe

Filesize
300.0MB

MD5
57b653c941b2f756f705dc40d5abf80e

SHA1
c0c0101c1b2a523e6baf7964ba94e733fae77c32

SHA256
deacd98df57ca5cab910cab1fba939fd02eab616cb70993fd5eae81c6547cda0

SHA512
be671100021853d8932b48dcda89e63a79832d7ff030527e69cee5076b8d247c206a12707330698d8781ea7a43f5758323f6f4a9627389e98be41ce029ef717f

Download Submit
C:\Users\Admin\AppData\Roaming\AVBJO.exe

Filesize
152.9MB

MD5
43f8f87c114d41938557f499f9042cdb

SHA1
c61df90d5e7638a8a4e35ba44d90510985c47dbe

SHA256
83300e7e3364d90d42f93cc550c3f72c1a5f974ff9010f2e9f6e059fd7900514

SHA512
4e378c4241aeb974e91fef1a16cfae32edd19be3879bb12b5ae00a946ad02b249493ec57f72e356aa05afb5eb2a928d9a0d03098786113b7583d9b08bd1b087c

Download Submit
memory/212-144-0x00007FFCB0BC0000-0x00007FFCB1681000-memory.dmp

Filesize
10.8MB

Download
memory/212-152-0x00007FFCB0BC0000-0x00007FFCB1681000-memory.dmp

Filesize
10.8MB

Download
memory/212-143-0x00007FFCB0BC0000-0x00007FFCB1681000-memory.dmp

Filesize
10.8MB

Download
memory/444-134-0x0000000000000000-mapping.dmp

Download
memory/848-140-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/848-139-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/848-137-0x00000000007E2730-mapping.dmp

Download
memory/992-147-0x0000000000000000-mapping.dmp

Download
memory/2088-133-0x0000000000000000-mapping.dmp

Download
memory/2276-145-0x0000000000000000-mapping.dmp

Download
memory/2388-138-0x00007FFCB0BC0000-0x00007FFCB1681000-memory.dmp

Filesize
10.8MB

Download
memory/2388-132-0x00007FFCB0BC0000-0x00007FFCB1681000-memory.dmp

Filesize
10.8MB

Download
memory/2388-130-0x0000000000250000-0x00000000003DA000-memory.dmp

Filesize
1.5MB

Download
memory/2388-131-0x00007FFCB0BC0000-0x00007FFCB1681000-memory.dmp

Filesize
10.8MB

Download
memory/2700-160-0x00007FFCB0BC0000-0x00007FFCB1681000-memory.dmp

Filesize
10.8MB

Download
memory/3024-151-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3024-153-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3024-154-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3024-155-0x00000000744D0000-0x0000000074509000-memory.dmp

Filesize
228KB

Download
memory/3024-156-0x0000000074850000-0x0000000074889000-memory.dmp

Filesize
228KB

Download
memory/3024-157-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3024-150-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3024-149-0x00000000007E2730-mapping.dmp

Download
memory/3024-148-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3088-146-0x0000000000000000-mapping.dmp

Download
memory/4372-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads