bitrat | de2ccca7996acb55c58238b8f0a465398a0ff5cec1081ed1da9d51573ca87959

General

Target

Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe
Size

1.0MB
MD5

3daa66d053bf5aa603c9db0af979d2b7
SHA1

5beb955aef82e5e487b50c3a7ba38ec76d93e760
SHA256

bda842fc1f63fc6ab60f1964cbb4f25e655b92ffa0009d4b9a91f293e9b4f228
SHA512

fd54c4568d7e508ce0b47ed6d71f519608b3e850bac54bba8f3f2dcdfa49fe9cc71caf366ebf089d090c399c25c8c2842fe9c6a1b7b494f1d03cf0b6bb8a91cb

Score

10^/10

bitrat modiloader persistence suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

oka.nerdpol.ovh:2223

Attributes

communication_password
b6c6e855edf908ec7c12ce8c8e628a5c
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1384-84-0x0000000010410000-0x00000000107F4000-memory.dmp	upx
behavioral1/memory/1384-85-0x0000000010410000-0x00000000107F4000-memory.dmp	upx
behavioral1/memory/1384-88-0x0000000010410000-0x00000000107F4000-memory.dmp	upx
behavioral1/memory/1384-91-0x0000000010410000-0x00000000107F4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aepfxfnvtb = "C:\\Users\\Public\\Libraries\\btvnfxfpeA.url"	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

DpiScaling.exe

pid process

1384 DpiScaling.exe
1384 DpiScaling.exe
1384 DpiScaling.exe
1384 DpiScaling.exe
1384 DpiScaling.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

472 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeDpiScaling.exe

description pid process

Token: SeDebugPrivilege 472 powershell.exe
Token: SeDebugPrivilege 1384 DpiScaling.exe
Token: SeShutdownPrivilege 1384 DpiScaling.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

DpiScaling.exe

pid process

1384 DpiScaling.exe
1384 DpiScaling.exe

pid	process
1384	DpiScaling.exe
1384	DpiScaling.exe
1384	DpiScaling.exe
1384	DpiScaling.exe
1384	DpiScaling.exe

pid	process
472	powershell.exe

description	pid	process
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	1384	DpiScaling.exe
Token: SeShutdownPrivilege	1384	DpiScaling.exe

pid	process
1384	DpiScaling.exe
1384	DpiScaling.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1180 wrote to memory of 1128	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	cmd.exe
PID 1180 wrote to memory of 1128	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	cmd.exe
PID 1180 wrote to memory of 1128	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	cmd.exe
PID 1180 wrote to memory of 1128	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	cmd.exe
PID 1128 wrote to memory of 864	1128	cmd.exe	cmd.exe
PID 1128 wrote to memory of 864	1128	cmd.exe	cmd.exe
PID 1128 wrote to memory of 864	1128	cmd.exe	cmd.exe
PID 1128 wrote to memory of 864	1128	cmd.exe	cmd.exe
PID 864 wrote to memory of 1116	864	cmd.exe	net.exe
PID 864 wrote to memory of 1116	864	cmd.exe	net.exe
PID 864 wrote to memory of 1116	864	cmd.exe	net.exe
PID 864 wrote to memory of 1116	864	cmd.exe	net.exe
PID 1116 wrote to memory of 768	1116	net.exe	net1.exe
PID 1116 wrote to memory of 768	1116	net.exe	net1.exe
PID 1116 wrote to memory of 768	1116	net.exe	net1.exe
PID 1116 wrote to memory of 768	1116	net.exe	net1.exe
PID 864 wrote to memory of 472	864	cmd.exe	powershell.exe
PID 864 wrote to memory of 472	864	cmd.exe	powershell.exe
PID 864 wrote to memory of 472	864	cmd.exe	powershell.exe
PID 864 wrote to memory of 472	864	cmd.exe	powershell.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe
PID 1180 wrote to memory of 1384	1180	Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe	DpiScaling.exe

C:\Users\Admin\AppData\Local\Temp\Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe
"C:\Users\Admin\AppData\Local\Temp\Aepfxfnvtbhazznvyqqgljtzsbpyrqphao.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Libraries\Aepfxfnvtbt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\AepfxfnvtbO.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\AepfxfnvtbO.bat
Filesize
1KB

MD5
df48c09f243ebcc8a165f77a1c2bf889

SHA1
455f7db0adcc2a58d006f1630fb0bd55cd868c07

SHA256
4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

SHA512
735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

Download Submit
C:\Users\Public\Libraries\Aepfxfnvtbt.bat
Filesize
59B

MD5
470593a6035275b546ae61afc7aac508

SHA1
864e25a233d2afb2d565f7ec3cf2b015edeccc04

SHA256
9ded2da968e60331b4c3b29ff19ab65db878f17ef96af703ca5ab94ceb7505e6

SHA512
862720d9846ac6a140bcf46abf1b75aca21faa54e28cd612b31340d49e7423713811ac35f78775b23eea559c5c2ad4c75058c2f0572b9907ac1241ad49a3d761

Download Submit
C:\Users\Public\Libraries\Cdex.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
memory/472-76-0x0000000000000000-mapping.dmp

Download
memory/472-79-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/472-78-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/768-74-0x0000000000000000-mapping.dmp

Download
memory/864-71-0x0000000000000000-mapping.dmp

Download
memory/1116-73-0x0000000000000000-mapping.dmp

Download
memory/1128-69-0x0000000000000000-mapping.dmp

Download
memory/1180-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1384-80-0x0000000000000000-mapping.dmp

Download
memory/1384-82-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download
memory/1384-84-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download
memory/1384-85-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download
memory/1384-86-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/1384-87-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/1384-88-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download
memory/1384-89-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/1384-90-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/1384-91-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads