bitrat | a63ec7da70dc56049227041e320a1518c98654a1baa9a9fdfef3f11a979920d7

General

Target

D7M39A87SH3-ETRANSFER-RECEIPT.exe
Size

300.0MB
MD5

edd26deecff12183dc818957f18b866a
SHA1

7e4fc7d57f7502ad210ceafbe294716981585281
SHA256

0b6306bc128b16b99cee0d04e4427bc0b5dbe32b2386fc4800cf42c9f42ed3b3
SHA512

b86225d429f244077f1a4313318e034320da2091a02a8064065b2fbd290eaa5285adfe90a161886f6a13dcba996f536da6758da78cf54ec01c900369db841987

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

vhhg.exevhhg.exe

pid process

1292 vhhg.exe
1612 vhhg.exe

pid	process
1292	vhhg.exe
1612	vhhg.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/936-63-0x0000000000410000-0x00000000007F4000-memory.dmp	upx
behavioral1/memory/936-67-0x0000000000410000-0x00000000007F4000-memory.dmp	upx
behavioral1/memory/936-66-0x0000000000410000-0x00000000007F4000-memory.dmp	upx
behavioral1/memory/936-70-0x0000000000410000-0x00000000007F4000-memory.dmp	upx
behavioral1/memory/936-72-0x0000000000410000-0x00000000007F4000-memory.dmp	upx
behavioral1/memory/936-78-0x0000000000410000-0x00000000007F4000-memory.dmp	upx
behavioral1/memory/1932-83-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1932-86-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1932-93-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1932-92-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1932-89-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1932-88-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1932-94-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1932-95-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/756-115-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/756-116-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exe

pid process

936 RegAsm.exe
936 RegAsm.exe
936 RegAsm.exe
936 RegAsm.exe
1932 RegAsm.exe
756 RegAsm.exe

pid	process
936	RegAsm.exe
936	RegAsm.exe
936	RegAsm.exe
936	RegAsm.exe
1932	RegAsm.exe
756	RegAsm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

D7M39A87SH3-ETRANSFER-RECEIPT.exevhhg.exevhhg.exe

description	pid	process	target process
PID 1452 set thread context of 936	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1292 set thread context of 1932	1292	vhhg.exe	RegAsm.exe
PID 1612 set thread context of 756	1612	vhhg.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

740 schtasks.exe
1564 schtasks.exe
676 schtasks.exe

pid	process
740	schtasks.exe
1564	schtasks.exe
676	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	936	RegAsm.exe
Token: SeShutdownPrivilege	936	RegAsm.exe
Token: SeDebugPrivilege	1932	RegAsm.exe
Token: SeShutdownPrivilege	1932	RegAsm.exe
Token: SeDebugPrivilege	756	RegAsm.exe
Token: SeShutdownPrivilege	756	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

936 RegAsm.exe
936 RegAsm.exe

pid	process
936	RegAsm.exe
936	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

D7M39A87SH3-ETRANSFER-RECEIPT.execmd.exetaskeng.exevhhg.execmd.exevhhg.execmd.exe

description	pid	process	target process
PID 1452 wrote to memory of 1636	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1452 wrote to memory of 1636	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1452 wrote to memory of 1636	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1452 wrote to memory of 1636	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1636 wrote to memory of 740	1636	cmd.exe	schtasks.exe
PID 1636 wrote to memory of 740	1636	cmd.exe	schtasks.exe
PID 1636 wrote to memory of 740	1636	cmd.exe	schtasks.exe
PID 1636 wrote to memory of 740	1636	cmd.exe	schtasks.exe
PID 1452 wrote to memory of 112	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1452 wrote to memory of 112	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1452 wrote to memory of 112	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1452 wrote to memory of 112	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1452 wrote to memory of 936	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 588 wrote to memory of 1292	588	taskeng.exe	vhhg.exe
PID 588 wrote to memory of 1292	588	taskeng.exe	vhhg.exe
PID 588 wrote to memory of 1292	588	taskeng.exe	vhhg.exe
PID 588 wrote to memory of 1292	588	taskeng.exe	vhhg.exe
PID 1292 wrote to memory of 760	1292	vhhg.exe	cmd.exe
PID 1292 wrote to memory of 760	1292	vhhg.exe	cmd.exe
PID 1292 wrote to memory of 760	1292	vhhg.exe	cmd.exe
PID 1292 wrote to memory of 760	1292	vhhg.exe	cmd.exe
PID 760 wrote to memory of 1564	760	cmd.exe	schtasks.exe
PID 760 wrote to memory of 1564	760	cmd.exe	schtasks.exe
PID 760 wrote to memory of 1564	760	cmd.exe	schtasks.exe
PID 760 wrote to memory of 1564	760	cmd.exe	schtasks.exe
PID 1292 wrote to memory of 1872	1292	vhhg.exe	cmd.exe
PID 1292 wrote to memory of 1872	1292	vhhg.exe	cmd.exe
PID 1292 wrote to memory of 1872	1292	vhhg.exe	cmd.exe
PID 1292 wrote to memory of 1872	1292	vhhg.exe	cmd.exe
PID 1292 wrote to memory of 1932	1292	vhhg.exe	RegAsm.exe
PID 1292 wrote to memory of 1932	1292	vhhg.exe	RegAsm.exe
PID 1292 wrote to memory of 1932	1292	vhhg.exe	RegAsm.exe
PID 1292 wrote to memory of 1932	1292	vhhg.exe	RegAsm.exe
PID 1292 wrote to memory of 1932	1292	vhhg.exe	RegAsm.exe
PID 1292 wrote to memory of 1932	1292	vhhg.exe	RegAsm.exe
PID 1292 wrote to memory of 1932	1292	vhhg.exe	RegAsm.exe
PID 1292 wrote to memory of 1932	1292	vhhg.exe	RegAsm.exe
PID 1292 wrote to memory of 1932	1292	vhhg.exe	RegAsm.exe
PID 1292 wrote to memory of 1932	1292	vhhg.exe	RegAsm.exe
PID 1292 wrote to memory of 1932	1292	vhhg.exe	RegAsm.exe
PID 588 wrote to memory of 1612	588	taskeng.exe	vhhg.exe
PID 588 wrote to memory of 1612	588	taskeng.exe	vhhg.exe
PID 588 wrote to memory of 1612	588	taskeng.exe	vhhg.exe
PID 588 wrote to memory of 1612	588	taskeng.exe	vhhg.exe
PID 1612 wrote to memory of 1752	1612	vhhg.exe	cmd.exe
PID 1612 wrote to memory of 1752	1612	vhhg.exe	cmd.exe
PID 1612 wrote to memory of 1752	1612	vhhg.exe	cmd.exe
PID 1612 wrote to memory of 1752	1612	vhhg.exe	cmd.exe
PID 1752 wrote to memory of 676	1752	cmd.exe	schtasks.exe
PID 1752 wrote to memory of 676	1752	cmd.exe	schtasks.exe
PID 1752 wrote to memory of 676	1752	cmd.exe	schtasks.exe
PID 1752 wrote to memory of 676	1752	cmd.exe	schtasks.exe
PID 1612 wrote to memory of 1452	1612	vhhg.exe	cmd.exe
PID 1612 wrote to memory of 1452	1612	vhhg.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\D7M39A87SH3-ETRANSFER-RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\D7M39A87SH3-ETRANSFER-RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:740
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\D7M39A87SH3-ETRANSFER-RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\vhhg.exe"
  2⤵
  PID:112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:936

C:\Windows\system32\taskeng.exe
taskeng.exe {46BF8AE0-1007-4CAD-94FA-DD0E5057A262} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:588
- C:\Users\Admin\AppData\Roaming\vhhg.exe
  C:\Users\Admin\AppData\Roaming\vhhg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\vhhg.exe" "C:\Users\Admin\AppData\Roaming\vhhg.exe"
    3⤵
    PID:1872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- C:\Users\Admin\AppData\Roaming\vhhg.exe
  C:\Users\Admin\AppData\Roaming\vhhg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:676
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\vhhg.exe" "C:\Users\Admin\AppData\Roaming\vhhg.exe"
    3⤵
    PID:1452
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vhhg.exe

Filesize
300.0MB

MD5
edd26deecff12183dc818957f18b866a

SHA1
7e4fc7d57f7502ad210ceafbe294716981585281

SHA256
0b6306bc128b16b99cee0d04e4427bc0b5dbe32b2386fc4800cf42c9f42ed3b3

SHA512
b86225d429f244077f1a4313318e034320da2091a02a8064065b2fbd290eaa5285adfe90a161886f6a13dcba996f536da6758da78cf54ec01c900369db841987

Download Submit
C:\Users\Admin\AppData\Roaming\vhhg.exe

Filesize
300.0MB

MD5
edd26deecff12183dc818957f18b866a

SHA1
7e4fc7d57f7502ad210ceafbe294716981585281

SHA256
0b6306bc128b16b99cee0d04e4427bc0b5dbe32b2386fc4800cf42c9f42ed3b3

SHA512
b86225d429f244077f1a4313318e034320da2091a02a8064065b2fbd290eaa5285adfe90a161886f6a13dcba996f536da6758da78cf54ec01c900369db841987

Download Submit
C:\Users\Admin\AppData\Roaming\vhhg.exe

Filesize
300.0MB

MD5
edd26deecff12183dc818957f18b866a

SHA1
7e4fc7d57f7502ad210ceafbe294716981585281

SHA256
0b6306bc128b16b99cee0d04e4427bc0b5dbe32b2386fc4800cf42c9f42ed3b3

SHA512
b86225d429f244077f1a4313318e034320da2091a02a8064065b2fbd290eaa5285adfe90a161886f6a13dcba996f536da6758da78cf54ec01c900369db841987

Download Submit
memory/112-59-0x0000000000000000-mapping.dmp

Download
memory/676-101-0x0000000000000000-mapping.dmp

Download
memory/740-58-0x0000000000000000-mapping.dmp

Download
memory/756-116-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/756-108-0x00000000007E2730-mapping.dmp

Download
memory/756-115-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/760-79-0x0000000000000000-mapping.dmp

Download
memory/936-72-0x0000000000410000-0x00000000007F4000-memory.dmp

Filesize
3.9MB

Download
memory/936-66-0x0000000000410000-0x00000000007F4000-memory.dmp

Filesize
3.9MB

Download
memory/936-63-0x0000000000410000-0x00000000007F4000-memory.dmp

Filesize
3.9MB

Download
memory/936-61-0x0000000000682000-0x00000000007F3000-memory.dmp

Filesize
1.4MB

Download
memory/936-65-0x00000000007E2730-mapping.dmp

Download
memory/936-70-0x0000000000410000-0x00000000007F4000-memory.dmp

Filesize
3.9MB

Download
memory/936-67-0x0000000000410000-0x00000000007F4000-memory.dmp

Filesize
3.9MB

Download
memory/936-78-0x0000000000410000-0x00000000007F4000-memory.dmp

Filesize
3.9MB

Download
memory/1292-74-0x0000000000000000-mapping.dmp

Download
memory/1292-76-0x0000000000150000-0x00000000002E2000-memory.dmp

Filesize
1.6MB

Download
memory/1452-54-0x0000000001090000-0x0000000001222000-memory.dmp

Filesize
1.6MB

Download
memory/1452-102-0x0000000000000000-mapping.dmp

Download
memory/1452-56-0x0000000005330000-0x00000000054A6000-memory.dmp

Filesize
1.5MB

Download
memory/1452-55-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1564-80-0x0000000000000000-mapping.dmp

Download
memory/1612-96-0x0000000000000000-mapping.dmp

Download
memory/1612-98-0x00000000003C0000-0x0000000000552000-memory.dmp

Filesize
1.6MB

Download
memory/1636-57-0x0000000000000000-mapping.dmp

Download
memory/1752-100-0x0000000000000000-mapping.dmp

Download
memory/1872-81-0x0000000000000000-mapping.dmp

Download
memory/1932-95-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1932-94-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1932-88-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1932-89-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1932-92-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1932-93-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1932-86-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1932-87-0x00000000007E2730-mapping.dmp

Download
memory/1932-83-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1932-82-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads