bitrat | d45b7cb0d3670b2d8a0191ddb50c96346c69ce3635d7e187270652b1c6398547

General

Target

C8D6C4G3_ETRANSFER_RECEIPT.exe
Size

300.0MB
MD5

bfabfe78aa78696e50b54618f8b828e6
SHA1

10444cddc6fd263a1b4a3ee8fa477a3a1e673f81
SHA256

5d40878b671c96e0c31b04b38d416c808fe231b1eaade5b4e1bdf5345b371a2b
SHA512

75b739af5a7a84b740175bdb0d95a6c91ff38f6c52aacfaf82f61da2edb491bbf38494a21f09a83706509d7bdf1bcaaa14707bb61dcc1f32e7bc73fa8033a3b5

Score

10^/10

bitrat suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata
Executes dropped EXE 3 IoCs

Processes:

retwvs.exeretwvs.exeretwvs.exe

pid process

1652 retwvs.exe
2004 retwvs.exe
1632 retwvs.exe

pid	process
1652	retwvs.exe
2004	retwvs.exe
1632	retwvs.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1524-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1524-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1524-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1524-68-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1524-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1524-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1524-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1524-73-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2004-95-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2004-96-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

C8D6C4G3_ETRANSFER_RECEIPT.exeretwvs.exe

pid	process
1524	C8D6C4G3_ETRANSFER_RECEIPT.exe
1524	C8D6C4G3_ETRANSFER_RECEIPT.exe
1524	C8D6C4G3_ETRANSFER_RECEIPT.exe
1524	C8D6C4G3_ETRANSFER_RECEIPT.exe
1524	C8D6C4G3_ETRANSFER_RECEIPT.exe
2004	retwvs.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

C8D6C4G3_ETRANSFER_RECEIPT.exeretwvs.exe

description	pid	process	target process
PID 1224 set thread context of 1524	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	C8D6C4G3_ETRANSFER_RECEIPT.exe
PID 1652 set thread context of 2004	1652	retwvs.exe	retwvs.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1660 schtasks.exe
756 schtasks.exe

pid	process
1660	schtasks.exe
756	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

C8D6C4G3_ETRANSFER_RECEIPT.exeretwvs.exe

description	pid	process
Token: SeDebugPrivilege	1524	C8D6C4G3_ETRANSFER_RECEIPT.exe
Token: SeShutdownPrivilege	1524	C8D6C4G3_ETRANSFER_RECEIPT.exe
Token: SeDebugPrivilege	2004	retwvs.exe
Token: SeShutdownPrivilege	2004	retwvs.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

C8D6C4G3_ETRANSFER_RECEIPT.exe

pid process

1524 C8D6C4G3_ETRANSFER_RECEIPT.exe
1524 C8D6C4G3_ETRANSFER_RECEIPT.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

C8D6C4G3_ETRANSFER_RECEIPT.execmd.exetaskeng.exeretwvs.execmd.exe

description	pid	process	target process
PID 1224 wrote to memory of 316	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1224 wrote to memory of 316	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1224 wrote to memory of 316	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1224 wrote to memory of 316	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	cmd.exe
PID 316 wrote to memory of 1660	316	cmd.exe	schtasks.exe
PID 316 wrote to memory of 1660	316	cmd.exe	schtasks.exe
PID 316 wrote to memory of 1660	316	cmd.exe	schtasks.exe
PID 316 wrote to memory of 1660	316	cmd.exe	schtasks.exe
PID 1224 wrote to memory of 1696	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1224 wrote to memory of 1696	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1224 wrote to memory of 1696	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1224 wrote to memory of 1696	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1224 wrote to memory of 1524	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	C8D6C4G3_ETRANSFER_RECEIPT.exe
PID 1224 wrote to memory of 1524	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	C8D6C4G3_ETRANSFER_RECEIPT.exe
PID 1224 wrote to memory of 1524	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	C8D6C4G3_ETRANSFER_RECEIPT.exe
PID 1224 wrote to memory of 1524	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	C8D6C4G3_ETRANSFER_RECEIPT.exe
PID 1224 wrote to memory of 1524	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	C8D6C4G3_ETRANSFER_RECEIPT.exe
PID 1224 wrote to memory of 1524	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	C8D6C4G3_ETRANSFER_RECEIPT.exe
PID 1224 wrote to memory of 1524	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	C8D6C4G3_ETRANSFER_RECEIPT.exe
PID 1224 wrote to memory of 1524	1224	C8D6C4G3_ETRANSFER_RECEIPT.exe	C8D6C4G3_ETRANSFER_RECEIPT.exe
PID 548 wrote to memory of 1652	548	taskeng.exe	retwvs.exe
PID 548 wrote to memory of 1652	548	taskeng.exe	retwvs.exe
PID 548 wrote to memory of 1652	548	taskeng.exe	retwvs.exe
PID 548 wrote to memory of 1652	548	taskeng.exe	retwvs.exe
PID 1652 wrote to memory of 1308	1652	retwvs.exe	cmd.exe
PID 1652 wrote to memory of 1308	1652	retwvs.exe	cmd.exe
PID 1652 wrote to memory of 1308	1652	retwvs.exe	cmd.exe
PID 1652 wrote to memory of 1308	1652	retwvs.exe	cmd.exe
PID 1308 wrote to memory of 756	1308	cmd.exe	schtasks.exe
PID 1308 wrote to memory of 756	1308	cmd.exe	schtasks.exe
PID 1308 wrote to memory of 756	1308	cmd.exe	schtasks.exe
PID 1308 wrote to memory of 756	1308	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 876	1652	retwvs.exe	cmd.exe
PID 1652 wrote to memory of 876	1652	retwvs.exe	cmd.exe
PID 1652 wrote to memory of 876	1652	retwvs.exe	cmd.exe
PID 1652 wrote to memory of 876	1652	retwvs.exe	cmd.exe
PID 1652 wrote to memory of 2004	1652	retwvs.exe	retwvs.exe
PID 1652 wrote to memory of 2004	1652	retwvs.exe	retwvs.exe
PID 1652 wrote to memory of 2004	1652	retwvs.exe	retwvs.exe
PID 1652 wrote to memory of 2004	1652	retwvs.exe	retwvs.exe
PID 1652 wrote to memory of 2004	1652	retwvs.exe	retwvs.exe
PID 1652 wrote to memory of 2004	1652	retwvs.exe	retwvs.exe
PID 1652 wrote to memory of 2004	1652	retwvs.exe	retwvs.exe
PID 1652 wrote to memory of 2004	1652	retwvs.exe	retwvs.exe
PID 548 wrote to memory of 1632	548	taskeng.exe	retwvs.exe
PID 548 wrote to memory of 1632	548	taskeng.exe	retwvs.exe
PID 548 wrote to memory of 1632	548	taskeng.exe	retwvs.exe
PID 548 wrote to memory of 1632	548	taskeng.exe	retwvs.exe

C:\Users\Admin\AppData\Local\Temp\C8D6C4G3_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\C8D6C4G3_ETRANSFER_RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\retwvs.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\retwvs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1660

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\C8D6C4G3_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\retwvs.exe"
2⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\C8D6C4G3_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\C8D6C4G3_ETRANSFER_RECEIPT.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\system32\taskeng.exe
taskeng.exe {6A0E076F-86D6-4B69-B7D8-B58FC4861993} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Roaming\retwvs.exe
C:\Users\Admin\AppData\Roaming\retwvs.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\retwvs.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\retwvs.exe'" /f
4⤵
- Creates scheduled task(s)
PID:756

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\retwvs.exe" "C:\Users\Admin\AppData\Roaming\retwvs.exe"
3⤵
PID:876

C:\Users\Admin\AppData\Roaming\retwvs.exe
"C:\Users\Admin\AppData\Roaming\retwvs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Users\Admin\AppData\Roaming\retwvs.exe
C:\Users\Admin\AppData\Roaming\retwvs.exe
2⤵
- Executes dropped EXE
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\retwvs.exe
Filesize
300.0MB

MD5
bfabfe78aa78696e50b54618f8b828e6

SHA1
10444cddc6fd263a1b4a3ee8fa477a3a1e673f81

SHA256
5d40878b671c96e0c31b04b38d416c808fe231b1eaade5b4e1bdf5345b371a2b

SHA512
75b739af5a7a84b740175bdb0d95a6c91ff38f6c52aacfaf82f61da2edb491bbf38494a21f09a83706509d7bdf1bcaaa14707bb61dcc1f32e7bc73fa8033a3b5

Download Submit
C:\Users\Admin\AppData\Roaming\retwvs.exe
Filesize
300.0MB

MD5
bfabfe78aa78696e50b54618f8b828e6

SHA1
10444cddc6fd263a1b4a3ee8fa477a3a1e673f81

SHA256
5d40878b671c96e0c31b04b38d416c808fe231b1eaade5b4e1bdf5345b371a2b

SHA512
75b739af5a7a84b740175bdb0d95a6c91ff38f6c52aacfaf82f61da2edb491bbf38494a21f09a83706509d7bdf1bcaaa14707bb61dcc1f32e7bc73fa8033a3b5

Download Submit
C:\Users\Admin\AppData\Roaming\retwvs.exe
Filesize
300.0MB

MD5
bfabfe78aa78696e50b54618f8b828e6

SHA1
10444cddc6fd263a1b4a3ee8fa477a3a1e673f81

SHA256
5d40878b671c96e0c31b04b38d416c808fe231b1eaade5b4e1bdf5345b371a2b

SHA512
75b739af5a7a84b740175bdb0d95a6c91ff38f6c52aacfaf82f61da2edb491bbf38494a21f09a83706509d7bdf1bcaaa14707bb61dcc1f32e7bc73fa8033a3b5

Download Submit
C:\Users\Admin\AppData\Roaming\retwvs.exe
Filesize
119.2MB

MD5
c167a4f223fc09e696a1eb81fad740bf

SHA1
1624795054259568b23090ea9619949d7a536b75

SHA256
02fbd5355edeabb146ceddf468c0ea89ab270556f78f3457c44ba28f2d010166

SHA512
d7fec264a9c1357c2b6adc99bb1e60ac2ee26344a833aede8dc812af4f4203eb9eebf5499dbb8d2d42fcc83b81600ff6c3e6543331378b70c59f6ff1c3669b0c

Download Submit
memory/316-57-0x0000000000000000-mapping.dmp

Download
memory/756-82-0x0000000000000000-mapping.dmp

Download
memory/876-83-0x0000000000000000-mapping.dmp

Download
memory/1224-55-0x0000000004DB0000-0x0000000004F26000-memory.dmp

Filesize
1.5MB

Download
memory/1224-56-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1224-54-0x0000000000F20000-0x00000000010B4000-memory.dmp

Filesize
1.6MB

Download
memory/1308-81-0x0000000000000000-mapping.dmp

Download
memory/1524-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1524-74-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1524-65-0x00000000007E2730-mapping.dmp

Download
memory/1524-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1524-71-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1524-72-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1524-73-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1524-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1524-75-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1524-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1524-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1524-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1524-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1524-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1632-99-0x0000000000230000-0x00000000003C4000-memory.dmp

Filesize
1.6MB

Download
memory/1632-97-0x0000000000000000-mapping.dmp

Download
memory/1652-77-0x0000000000000000-mapping.dmp

Download
memory/1652-79-0x0000000001060000-0x00000000011F4000-memory.dmp

Filesize
1.6MB

Download
memory/1660-58-0x0000000000000000-mapping.dmp

Download
memory/1696-59-0x0000000000000000-mapping.dmp

Download
memory/2004-89-0x00000000007E2730-mapping.dmp

Download
memory/2004-95-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2004-96-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads