bitrat | 8c76fb918a3b6c197a9638bcbc03b1dc85606c256e04d919b5d9739b556e2ef0

General

Target

JO37GDDJF5_ETRANSFER_RECEIPT.exe
Size

300.0MB
MD5

9f791a0a9f76db609b44f0e3bf7bdef5
SHA1

0481f2e178c7a34b3d855e5c53553337fe2008ed
SHA256

ccd71d751bf017dee31f76eceded9aa6832f5e19b5389584d3665f76b4f0caf2
SHA512

06889bebdf092e4f1563e697e9c619a147954ffcb1f9dd9e9a9238d1410442373f95558c02e6bae6f5d832f89a46eab8b08114699f7321ce2e1150a69f1ad1ee

Score

10^/10

bitrat suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata
Executes dropped EXE 1 IoCs

Processes:

nhbyg.exe

pid process

1932 nhbyg.exe

pid	process
1932	nhbyg.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1760-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1760-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1760-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1760-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1760-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1760-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1760-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1760-72-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1760-80-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1596-98-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1596-99-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

RegAsm.exeRegAsm.exe

pid process

1760 RegAsm.exe
1760 RegAsm.exe
1760 RegAsm.exe
1760 RegAsm.exe
1760 RegAsm.exe
1596 RegAsm.exe

pid	process
1760	RegAsm.exe
1760	RegAsm.exe
1760	RegAsm.exe
1760	RegAsm.exe
1760	RegAsm.exe
1596	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

JO37GDDJF5_ETRANSFER_RECEIPT.exenhbyg.exe

description	pid	process	target process
PID 1764 set thread context of 1760	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1932 set thread context of 1596	1932	nhbyg.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2008 schtasks.exe
1360 schtasks.exe

pid	process
2008	schtasks.exe
1360	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1760	RegAsm.exe
Token: SeShutdownPrivilege	1760	RegAsm.exe
Token: SeDebugPrivilege	1596	RegAsm.exe
Token: SeShutdownPrivilege	1596	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

1760 RegAsm.exe
1760 RegAsm.exe

pid	process
1760	RegAsm.exe
1760	RegAsm.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

JO37GDDJF5_ETRANSFER_RECEIPT.execmd.exetaskeng.exenhbyg.execmd.exe

description	pid	process	target process
PID 1764 wrote to memory of 2040	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1764 wrote to memory of 2040	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1764 wrote to memory of 2040	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1764 wrote to memory of 2040	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2040 wrote to memory of 2008	2040	cmd.exe	schtasks.exe
PID 2040 wrote to memory of 2008	2040	cmd.exe	schtasks.exe
PID 2040 wrote to memory of 2008	2040	cmd.exe	schtasks.exe
PID 2040 wrote to memory of 2008	2040	cmd.exe	schtasks.exe
PID 1764 wrote to memory of 1988	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1764 wrote to memory of 1988	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1764 wrote to memory of 1988	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1764 wrote to memory of 1988	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1764 wrote to memory of 1760	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1764 wrote to memory of 1760	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1764 wrote to memory of 1760	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1764 wrote to memory of 1760	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1764 wrote to memory of 1760	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1764 wrote to memory of 1760	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1764 wrote to memory of 1760	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1764 wrote to memory of 1760	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1764 wrote to memory of 1760	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1764 wrote to memory of 1760	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1764 wrote to memory of 1760	1764	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1260 wrote to memory of 1932	1260	taskeng.exe	nhbyg.exe
PID 1260 wrote to memory of 1932	1260	taskeng.exe	nhbyg.exe
PID 1260 wrote to memory of 1932	1260	taskeng.exe	nhbyg.exe
PID 1260 wrote to memory of 1932	1260	taskeng.exe	nhbyg.exe
PID 1932 wrote to memory of 1376	1932	nhbyg.exe	cmd.exe
PID 1932 wrote to memory of 1376	1932	nhbyg.exe	cmd.exe
PID 1932 wrote to memory of 1376	1932	nhbyg.exe	cmd.exe
PID 1932 wrote to memory of 1376	1932	nhbyg.exe	cmd.exe
PID 1376 wrote to memory of 1360	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 1360	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 1360	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 1360	1376	cmd.exe	schtasks.exe
PID 1932 wrote to memory of 844	1932	nhbyg.exe	cmd.exe
PID 1932 wrote to memory of 844	1932	nhbyg.exe	cmd.exe
PID 1932 wrote to memory of 844	1932	nhbyg.exe	cmd.exe
PID 1932 wrote to memory of 844	1932	nhbyg.exe	cmd.exe
PID 1932 wrote to memory of 1596	1932	nhbyg.exe	RegAsm.exe
PID 1932 wrote to memory of 1596	1932	nhbyg.exe	RegAsm.exe
PID 1932 wrote to memory of 1596	1932	nhbyg.exe	RegAsm.exe
PID 1932 wrote to memory of 1596	1932	nhbyg.exe	RegAsm.exe
PID 1932 wrote to memory of 1596	1932	nhbyg.exe	RegAsm.exe
PID 1932 wrote to memory of 1596	1932	nhbyg.exe	RegAsm.exe
PID 1932 wrote to memory of 1596	1932	nhbyg.exe	RegAsm.exe
PID 1932 wrote to memory of 1596	1932	nhbyg.exe	RegAsm.exe
PID 1932 wrote to memory of 1596	1932	nhbyg.exe	RegAsm.exe
PID 1932 wrote to memory of 1596	1932	nhbyg.exe	RegAsm.exe
PID 1932 wrote to memory of 1596	1932	nhbyg.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\JO37GDDJF5_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\JO37GDDJF5_ETRANSFER_RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2008

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\JO37GDDJF5_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"
2⤵
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Windows\system32\taskeng.exe
taskeng.exe {72B16DA2-7844-4C7F-BF4E-0B8034C61616} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Roaming\nhbyg.exe
C:\Users\Admin\AppData\Roaming\nhbyg.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1360

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\nhbyg.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"
3⤵
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nhbyg.exe
Filesize
73.1MB

MD5
43d541d1733f4c8989f2c56ea294637b

SHA1
ae6e8e0f37ebdedfb94c4c8c478a9d18f5584326

SHA256
03437456cf8d9bc10dbf25fd7a8ebd44e0f6184a3f1318b3f1edc006472b5b19

SHA512
44a29b905bf66aec0b44116bdfb32e502d550abf31ea1d2845f9534cf10ba6a80edfa4ce87bb610a73eb3e34f052a1aff2590b4afb20c861321cce31832a7f16

Download Submit
C:\Users\Admin\AppData\Roaming\nhbyg.exe
Filesize
73.2MB

MD5
04d5cd2a583e1111537f2d8cc5e58422

SHA1
0617a24e236b6a4362fa523e178e7cd0f1bb2ab1

SHA256
11a81ff4786b229fb25b321c9a14258b8fe003a3d90e883ffa47366446749b13

SHA512
a502a0db48cda1c2e53f10e016debb6bb6b3b42d26265082d249ccdbca498f845cce6ff77fdf6779c850b059529e8911698de1e74cb06d510723868ce1295826

Download Submit
memory/844-85-0x0000000000000000-mapping.dmp

Download
memory/1360-84-0x0000000000000000-mapping.dmp

Download
memory/1376-83-0x0000000000000000-mapping.dmp

Download
memory/1596-99-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1596-98-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1596-91-0x00000000007E2730-mapping.dmp

Download
memory/1760-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1760-82-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/1760-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1760-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1760-65-0x00000000007E2730-mapping.dmp

Download
memory/1760-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1760-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1760-72-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1760-74-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/1760-73-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/1760-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1760-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1760-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1760-81-0x00000000002A0000-0x00000000002AA000-memory.dmp

Filesize
40KB

Download
memory/1760-80-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1764-54-0x0000000000120000-0x00000000002B4000-memory.dmp

Filesize
1.6MB

Download
memory/1764-56-0x0000000005200000-0x0000000005376000-memory.dmp

Filesize
1.5MB

Download
memory/1764-55-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/1932-78-0x00000000012A0000-0x0000000001434000-memory.dmp

Filesize
1.6MB

Download
memory/1932-76-0x0000000000000000-mapping.dmp

Download
memory/1988-59-0x0000000000000000-mapping.dmp

Download
memory/2008-58-0x0000000000000000-mapping.dmp

Download
memory/2040-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads