bitrat | 8c76fb918a3b6c197a9638bcbc03b1dc85606c256e04d919b5d9739b556e2ef0

General

Target

JO37GDDJF5_ETRANSFER_RECEIPT.exe
Size

300.0MB
MD5

9f791a0a9f76db609b44f0e3bf7bdef5
SHA1

0481f2e178c7a34b3d855e5c53553337fe2008ed
SHA256

ccd71d751bf017dee31f76eceded9aa6832f5e19b5389584d3665f76b4f0caf2
SHA512

06889bebdf092e4f1563e697e9c619a147954ffcb1f9dd9e9a9238d1410442373f95558c02e6bae6f5d832f89a46eab8b08114699f7321ce2e1150a69f1ad1ee

Score

10^/10

bitrat suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata
Executes dropped EXE 1 IoCs

Processes:

nhbyg.exe

pid process

4460 nhbyg.exe

pid	process
4460	nhbyg.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3540-136-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3540-138-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3540-137-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3540-139-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3540-140-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3540-143-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4192-153-0x0000000000760000-0x0000000000B44000-memory.dmp	upx
behavioral2/memory/4192-154-0x0000000000760000-0x0000000000B44000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegAsm.exe

pid process

3540 RegAsm.exe
3540 RegAsm.exe
3540 RegAsm.exe
3540 RegAsm.exe
3540 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

JO37GDDJF5_ETRANSFER_RECEIPT.exe

description pid process target process

PID 388 set thread context of 3540 388 JO37GDDJF5_ETRANSFER_RECEIPT.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4312 schtasks.exe
3224 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeShutdownPrivilege 3540 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

3540 RegAsm.exe
3540 RegAsm.exe

pid	process
3540	RegAsm.exe
3540	RegAsm.exe
3540	RegAsm.exe
3540	RegAsm.exe
3540	RegAsm.exe

description	pid	process	target process
PID 388 set thread context of 3540	388	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe

pid	process
4312	schtasks.exe
3224	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	3540	RegAsm.exe

pid	process
3540	RegAsm.exe
3540	RegAsm.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

JO37GDDJF5_ETRANSFER_RECEIPT.execmd.exenhbyg.execmd.exe

description	pid	process	target process
PID 388 wrote to memory of 4744	388	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 388 wrote to memory of 4744	388	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 388 wrote to memory of 4744	388	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 4744 wrote to memory of 4312	4744	cmd.exe	schtasks.exe
PID 4744 wrote to memory of 4312	4744	cmd.exe	schtasks.exe
PID 4744 wrote to memory of 4312	4744	cmd.exe	schtasks.exe
PID 388 wrote to memory of 4000	388	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 388 wrote to memory of 4000	388	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 388 wrote to memory of 4000	388	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 388 wrote to memory of 3540	388	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 388 wrote to memory of 3540	388	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 388 wrote to memory of 3540	388	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 388 wrote to memory of 3540	388	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 388 wrote to memory of 3540	388	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 388 wrote to memory of 3540	388	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 388 wrote to memory of 3540	388	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 4460 wrote to memory of 4456	4460	nhbyg.exe	cmd.exe
PID 4460 wrote to memory of 4456	4460	nhbyg.exe	cmd.exe
PID 4460 wrote to memory of 4456	4460	nhbyg.exe	cmd.exe
PID 4456 wrote to memory of 3224	4456	cmd.exe	schtasks.exe
PID 4456 wrote to memory of 3224	4456	cmd.exe	schtasks.exe
PID 4456 wrote to memory of 3224	4456	cmd.exe	schtasks.exe
PID 4460 wrote to memory of 2924	4460	nhbyg.exe	cmd.exe
PID 4460 wrote to memory of 2924	4460	nhbyg.exe	cmd.exe
PID 4460 wrote to memory of 2924	4460	nhbyg.exe	cmd.exe
PID 4460 wrote to memory of 4192	4460	nhbyg.exe	RegAsm.exe
PID 4460 wrote to memory of 4192	4460	nhbyg.exe	RegAsm.exe
PID 4460 wrote to memory of 4192	4460	nhbyg.exe	RegAsm.exe
PID 4460 wrote to memory of 4192	4460	nhbyg.exe	RegAsm.exe
PID 4460 wrote to memory of 4192	4460	nhbyg.exe	RegAsm.exe
PID 4460 wrote to memory of 4192	4460	nhbyg.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\JO37GDDJF5_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\JO37GDDJF5_ETRANSFER_RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4312

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\JO37GDDJF5_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"
2⤵
PID:4000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3540

C:\Users\Admin\AppData\Roaming\nhbyg.exe
C:\Users\Admin\AppData\Roaming\nhbyg.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3224

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\nhbyg.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"
2⤵
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nhbyg.exe
Filesize
83.2MB

MD5
12fa6a8f5192360158a1670ef3b4b5da

SHA1
03ca11d5124150b088802503aeafe646dfa1edeb

SHA256
822caddcc3003060c08ffb02a8af06b7f8ffe49e8a95f8d3769197ebe075cf8b

SHA512
a577520ba1caf64d9459f0019ecc13d6789db8889716d603a21dcbbea02394d11ff9ca568d6bbd6ce44c4dee7e4f708686ed230ce82df9e26a7afd5426b8dc05

Download Submit
C:\Users\Admin\AppData\Roaming\nhbyg.exe
Filesize
73.9MB

MD5
e78a0efd39cdc6b37da5ed1712f5a04a

SHA1
bc637533f9c958d28d6ef0293a44551bb9b55da0

SHA256
dd8369447227091f2cc6afd4b345ad27ecc8ab3f68a00f6ec0384add30faf2c0

SHA512
a0982f186fd989a1ff21bab3a34ee01266bfd5700865bd97707aea2b5970dfe03cd7a6a30fa5ccc4d40d141271470596add4a654876f837503a5902f9d4dac5a

Download Submit
memory/388-130-0x0000000000080000-0x0000000000214000-memory.dmp

Filesize
1.6MB

Download
memory/388-133-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/2924-150-0x0000000000000000-mapping.dmp

Download
memory/3224-149-0x0000000000000000-mapping.dmp

Download
memory/3540-142-0x0000000075270000-0x00000000752A9000-memory.dmp

Filesize
228KB

Download
memory/3540-147-0x0000000074ED0000-0x0000000074F09000-memory.dmp

Filesize
228KB

Download
memory/3540-137-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3540-139-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3540-140-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3540-141-0x0000000074ED0000-0x0000000074F09000-memory.dmp

Filesize
228KB

Download
memory/3540-136-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3540-143-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3540-135-0x0000000000000000-mapping.dmp

Download
memory/3540-138-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3540-148-0x0000000075270000-0x00000000752A9000-memory.dmp

Filesize
228KB

Download
memory/4000-134-0x0000000000000000-mapping.dmp

Download
memory/4192-151-0x0000000000000000-mapping.dmp

Download
memory/4192-153-0x0000000000760000-0x0000000000B44000-memory.dmp

Filesize
3.9MB

Download
memory/4192-154-0x0000000000760000-0x0000000000B44000-memory.dmp

Filesize
3.9MB

Download
memory/4312-132-0x0000000000000000-mapping.dmp

Download
memory/4456-146-0x0000000000000000-mapping.dmp

Download
memory/4744-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads