bitrat | a2e53e31a6d4e81b4df4572ff9d41278b8c48c2387ba84075ae58f3d10c4884b

General

Target

RKS7D5D6F_ETRANSFER_RECEIPT.exe
Size

300.0MB
MD5

7298a9ef42c45144a0caab46893fc9e3
SHA1

809492d6628db6cb0af75ceb861ca209079029af
SHA256

cd4000e6ed2eeeb0af7509cc6c74ea8d2ef08d5d6f6551aeebad6a96de57d7cd
SHA512

ac95e369ed001e74b5c32cb94ac109f3b7c76b9c9dd82fd92c0569682589ccd94521599a7b03921a633c4668905a73ba87c9c7d5e31935d047f61c1284dd4459

Score

10^/10

bitrat suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata
Executes dropped EXE 1 IoCs

Processes:

nhbyg.exe

pid process

628 nhbyg.exe

pid	process
628	nhbyg.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1320-63-0x0000000000470000-0x0000000000854000-memory.dmp	upx
behavioral1/memory/1320-66-0x0000000000470000-0x0000000000854000-memory.dmp	upx
behavioral1/memory/1320-67-0x0000000000470000-0x0000000000854000-memory.dmp	upx
behavioral1/memory/1320-70-0x0000000000470000-0x0000000000854000-memory.dmp	upx
behavioral1/memory/1320-77-0x0000000000470000-0x0000000000854000-memory.dmp	upx
behavioral1/memory/1320-80-0x0000000000470000-0x0000000000854000-memory.dmp	upx
behavioral1/memory/808-87-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/808-90-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/808-92-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/808-96-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/808-98-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/808-97-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/808-93-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/808-99-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

RegAsm.exeRegAsm.exe

pid process

1320 RegAsm.exe
1320 RegAsm.exe
1320 RegAsm.exe
1320 RegAsm.exe
1320 RegAsm.exe
808 RegAsm.exe

pid	process
1320	RegAsm.exe
1320	RegAsm.exe
1320	RegAsm.exe
1320	RegAsm.exe
1320	RegAsm.exe
808	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

RKS7D5D6F_ETRANSFER_RECEIPT.exenhbyg.exe

description	pid	process	target process
PID 844 set thread context of 1320	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 628 set thread context of 808	628	nhbyg.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1092 schtasks.exe
1616 schtasks.exe

pid	process
1092	schtasks.exe
1616	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1320	RegAsm.exe
Token: SeShutdownPrivilege	1320	RegAsm.exe
Token: SeDebugPrivilege	808	RegAsm.exe
Token: SeShutdownPrivilege	808	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

1320 RegAsm.exe
1320 RegAsm.exe

pid	process
1320	RegAsm.exe
1320	RegAsm.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

RKS7D5D6F_ETRANSFER_RECEIPT.execmd.exetaskeng.exenhbyg.execmd.exe

description	pid	process	target process
PID 844 wrote to memory of 1400	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	cmd.exe
PID 844 wrote to memory of 1400	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	cmd.exe
PID 844 wrote to memory of 1400	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	cmd.exe
PID 844 wrote to memory of 1400	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1400 wrote to memory of 1092	1400	cmd.exe	schtasks.exe
PID 1400 wrote to memory of 1092	1400	cmd.exe	schtasks.exe
PID 1400 wrote to memory of 1092	1400	cmd.exe	schtasks.exe
PID 1400 wrote to memory of 1092	1400	cmd.exe	schtasks.exe
PID 844 wrote to memory of 1196	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	cmd.exe
PID 844 wrote to memory of 1196	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	cmd.exe
PID 844 wrote to memory of 1196	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	cmd.exe
PID 844 wrote to memory of 1196	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	cmd.exe
PID 844 wrote to memory of 1320	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 844 wrote to memory of 1320	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 844 wrote to memory of 1320	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 844 wrote to memory of 1320	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 844 wrote to memory of 1320	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 844 wrote to memory of 1320	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 844 wrote to memory of 1320	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 844 wrote to memory of 1320	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 844 wrote to memory of 1320	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 844 wrote to memory of 1320	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 844 wrote to memory of 1320	844	RKS7D5D6F_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1916 wrote to memory of 628	1916	taskeng.exe	nhbyg.exe
PID 1916 wrote to memory of 628	1916	taskeng.exe	nhbyg.exe
PID 1916 wrote to memory of 628	1916	taskeng.exe	nhbyg.exe
PID 1916 wrote to memory of 628	1916	taskeng.exe	nhbyg.exe
PID 628 wrote to memory of 1524	628	nhbyg.exe	cmd.exe
PID 628 wrote to memory of 1524	628	nhbyg.exe	cmd.exe
PID 628 wrote to memory of 1524	628	nhbyg.exe	cmd.exe
PID 628 wrote to memory of 1524	628	nhbyg.exe	cmd.exe
PID 1524 wrote to memory of 1616	1524	cmd.exe	schtasks.exe
PID 1524 wrote to memory of 1616	1524	cmd.exe	schtasks.exe
PID 1524 wrote to memory of 1616	1524	cmd.exe	schtasks.exe
PID 1524 wrote to memory of 1616	1524	cmd.exe	schtasks.exe
PID 628 wrote to memory of 1356	628	nhbyg.exe	cmd.exe
PID 628 wrote to memory of 1356	628	nhbyg.exe	cmd.exe
PID 628 wrote to memory of 1356	628	nhbyg.exe	cmd.exe
PID 628 wrote to memory of 1356	628	nhbyg.exe	cmd.exe
PID 628 wrote to memory of 808	628	nhbyg.exe	RegAsm.exe
PID 628 wrote to memory of 808	628	nhbyg.exe	RegAsm.exe
PID 628 wrote to memory of 808	628	nhbyg.exe	RegAsm.exe
PID 628 wrote to memory of 808	628	nhbyg.exe	RegAsm.exe
PID 628 wrote to memory of 808	628	nhbyg.exe	RegAsm.exe
PID 628 wrote to memory of 808	628	nhbyg.exe	RegAsm.exe
PID 628 wrote to memory of 808	628	nhbyg.exe	RegAsm.exe
PID 628 wrote to memory of 808	628	nhbyg.exe	RegAsm.exe
PID 628 wrote to memory of 808	628	nhbyg.exe	RegAsm.exe
PID 628 wrote to memory of 808	628	nhbyg.exe	RegAsm.exe
PID 628 wrote to memory of 808	628	nhbyg.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\RKS7D5D6F_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\RKS7D5D6F_ETRANSFER_RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1092

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\RKS7D5D6F_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"
2⤵
PID:1196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Windows\system32\taskeng.exe
taskeng.exe {7A0F8F06-2E6C-4B10-AE01-3C54750D4D59} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Roaming\nhbyg.exe
C:\Users\Admin\AppData\Roaming\nhbyg.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1616

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\nhbyg.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"
3⤵
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nhbyg.exe
Filesize
300.0MB

MD5
7298a9ef42c45144a0caab46893fc9e3

SHA1
809492d6628db6cb0af75ceb861ca209079029af

SHA256
cd4000e6ed2eeeb0af7509cc6c74ea8d2ef08d5d6f6551aeebad6a96de57d7cd

SHA512
ac95e369ed001e74b5c32cb94ac109f3b7c76b9c9dd82fd92c0569682589ccd94521599a7b03921a633c4668905a73ba87c9c7d5e31935d047f61c1284dd4459

Download Submit
C:\Users\Admin\AppData\Roaming\nhbyg.exe
Filesize
300.0MB

MD5
7298a9ef42c45144a0caab46893fc9e3

SHA1
809492d6628db6cb0af75ceb861ca209079029af

SHA256
cd4000e6ed2eeeb0af7509cc6c74ea8d2ef08d5d6f6551aeebad6a96de57d7cd

SHA512
ac95e369ed001e74b5c32cb94ac109f3b7c76b9c9dd82fd92c0569682589ccd94521599a7b03921a633c4668905a73ba87c9c7d5e31935d047f61c1284dd4459

Download Submit
memory/628-75-0x0000000000360000-0x00000000004F4000-memory.dmp

Filesize
1.6MB

Download
memory/628-73-0x0000000000000000-mapping.dmp

Download
memory/808-98-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/808-90-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/808-93-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/808-97-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/808-86-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/808-96-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/808-92-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/808-87-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/808-91-0x00000000007E2730-mapping.dmp

Download
memory/808-99-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/844-56-0x00000000052B0000-0x0000000005426000-memory.dmp

Filesize
1.5MB

Download
memory/844-55-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/844-54-0x00000000001D0000-0x0000000000364000-memory.dmp

Filesize
1.6MB

Download
memory/1092-58-0x0000000000000000-mapping.dmp

Download
memory/1196-59-0x0000000000000000-mapping.dmp

Download
memory/1320-77-0x0000000000470000-0x0000000000854000-memory.dmp

Filesize
3.9MB

Download
memory/1320-67-0x0000000000470000-0x0000000000854000-memory.dmp

Filesize
3.9MB

Download
memory/1320-82-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/1320-61-0x00000000006E2000-0x0000000000853000-memory.dmp

Filesize
1.4MB

Download
memory/1320-63-0x0000000000470000-0x0000000000854000-memory.dmp

Filesize
3.9MB

Download
memory/1320-65-0x00000000007E2730-mapping.dmp

Download
memory/1320-80-0x0000000000470000-0x0000000000854000-memory.dmp

Filesize
3.9MB

Download
memory/1320-79-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/1320-78-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/1320-70-0x0000000000470000-0x0000000000854000-memory.dmp

Filesize
3.9MB

Download
memory/1320-81-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/1320-66-0x0000000000470000-0x0000000000854000-memory.dmp

Filesize
3.9MB

Download
memory/1356-85-0x0000000000000000-mapping.dmp

Download
memory/1400-57-0x0000000000000000-mapping.dmp

Download
memory/1524-83-0x0000000000000000-mapping.dmp

Download
memory/1616-84-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads