bitrat | 859246ff173ff4ff68c9c761a21aa9944c7c2dba5cd882d9309d845355895631

General

Target

D7M39A87SH3-ETRANSFER-RECEIPT.exe
Size

300.0MB
MD5

edd26deecff12183dc818957f18b866a
SHA1

7e4fc7d57f7502ad210ceafbe294716981585281
SHA256

0b6306bc128b16b99cee0d04e4427bc0b5dbe32b2386fc4800cf42c9f42ed3b3
SHA512

b86225d429f244077f1a4313318e034320da2091a02a8064065b2fbd290eaa5285adfe90a161886f6a13dcba996f536da6758da78cf54ec01c900369db841987

Score

10^/10

bitrat suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata
Executes dropped EXE 1 IoCs

Processes:

vhhg.exe

pid process

568 vhhg.exe

pid	process
568	vhhg.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1232-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1232-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1232-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1232-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1232-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1232-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1232-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1232-72-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1232-74-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-98-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-99-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

RegAsm.exeRegAsm.exe

pid process

1232 RegAsm.exe
1232 RegAsm.exe
1232 RegAsm.exe
1232 RegAsm.exe
1232 RegAsm.exe
1688 RegAsm.exe
1232 RegAsm.exe

pid	process
1232	RegAsm.exe
1232	RegAsm.exe
1232	RegAsm.exe
1232	RegAsm.exe
1232	RegAsm.exe
1688	RegAsm.exe
1232	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

D7M39A87SH3-ETRANSFER-RECEIPT.exevhhg.exe

description	pid	process	target process
PID 1680 set thread context of 1232	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 568 set thread context of 1688	568	vhhg.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2044 schtasks.exe
1180 schtasks.exe

pid	process
2044	schtasks.exe
1180	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1232	RegAsm.exe
Token: SeShutdownPrivilege	1232	RegAsm.exe
Token: SeDebugPrivilege	1688	RegAsm.exe
Token: SeShutdownPrivilege	1688	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

1232 RegAsm.exe
1232 RegAsm.exe

pid	process
1232	RegAsm.exe
1232	RegAsm.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

D7M39A87SH3-ETRANSFER-RECEIPT.execmd.exetaskeng.exevhhg.execmd.exe

description	pid	process	target process
PID 1680 wrote to memory of 1992	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1680 wrote to memory of 1992	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1680 wrote to memory of 1992	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1680 wrote to memory of 1992	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1992 wrote to memory of 2044	1992	cmd.exe	schtasks.exe
PID 1992 wrote to memory of 2044	1992	cmd.exe	schtasks.exe
PID 1992 wrote to memory of 2044	1992	cmd.exe	schtasks.exe
PID 1992 wrote to memory of 2044	1992	cmd.exe	schtasks.exe
PID 1680 wrote to memory of 1996	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1680 wrote to memory of 1996	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1680 wrote to memory of 1996	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1680 wrote to memory of 1996	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 1680 wrote to memory of 1232	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1680 wrote to memory of 1232	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1680 wrote to memory of 1232	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1680 wrote to memory of 1232	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1680 wrote to memory of 1232	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1680 wrote to memory of 1232	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1680 wrote to memory of 1232	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1680 wrote to memory of 1232	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1680 wrote to memory of 1232	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1680 wrote to memory of 1232	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1680 wrote to memory of 1232	1680	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 1176 wrote to memory of 568	1176	taskeng.exe	vhhg.exe
PID 1176 wrote to memory of 568	1176	taskeng.exe	vhhg.exe
PID 1176 wrote to memory of 568	1176	taskeng.exe	vhhg.exe
PID 1176 wrote to memory of 568	1176	taskeng.exe	vhhg.exe
PID 568 wrote to memory of 1908	568	vhhg.exe	cmd.exe
PID 568 wrote to memory of 1908	568	vhhg.exe	cmd.exe
PID 568 wrote to memory of 1908	568	vhhg.exe	cmd.exe
PID 568 wrote to memory of 1908	568	vhhg.exe	cmd.exe
PID 1908 wrote to memory of 1180	1908	cmd.exe	schtasks.exe
PID 1908 wrote to memory of 1180	1908	cmd.exe	schtasks.exe
PID 1908 wrote to memory of 1180	1908	cmd.exe	schtasks.exe
PID 1908 wrote to memory of 1180	1908	cmd.exe	schtasks.exe
PID 568 wrote to memory of 1920	568	vhhg.exe	cmd.exe
PID 568 wrote to memory of 1920	568	vhhg.exe	cmd.exe
PID 568 wrote to memory of 1920	568	vhhg.exe	cmd.exe
PID 568 wrote to memory of 1920	568	vhhg.exe	cmd.exe
PID 568 wrote to memory of 1688	568	vhhg.exe	RegAsm.exe
PID 568 wrote to memory of 1688	568	vhhg.exe	RegAsm.exe
PID 568 wrote to memory of 1688	568	vhhg.exe	RegAsm.exe
PID 568 wrote to memory of 1688	568	vhhg.exe	RegAsm.exe
PID 568 wrote to memory of 1688	568	vhhg.exe	RegAsm.exe
PID 568 wrote to memory of 1688	568	vhhg.exe	RegAsm.exe
PID 568 wrote to memory of 1688	568	vhhg.exe	RegAsm.exe
PID 568 wrote to memory of 1688	568	vhhg.exe	RegAsm.exe
PID 568 wrote to memory of 1688	568	vhhg.exe	RegAsm.exe
PID 568 wrote to memory of 1688	568	vhhg.exe	RegAsm.exe
PID 568 wrote to memory of 1688	568	vhhg.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\D7M39A87SH3-ETRANSFER-RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\D7M39A87SH3-ETRANSFER-RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2044

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\D7M39A87SH3-ETRANSFER-RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\vhhg.exe"
2⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1232

C:\Windows\system32\taskeng.exe
taskeng.exe {41CB11BC-0901-490C-999C-745570BC09FB} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Roaming\vhhg.exe
C:\Users\Admin\AppData\Roaming\vhhg.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1180

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\vhhg.exe" "C:\Users\Admin\AppData\Roaming\vhhg.exe"
3⤵
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vhhg.exe
Filesize
300.0MB

MD5
edd26deecff12183dc818957f18b866a

SHA1
7e4fc7d57f7502ad210ceafbe294716981585281

SHA256
0b6306bc128b16b99cee0d04e4427bc0b5dbe32b2386fc4800cf42c9f42ed3b3

SHA512
b86225d429f244077f1a4313318e034320da2091a02a8064065b2fbd290eaa5285adfe90a161886f6a13dcba996f536da6758da78cf54ec01c900369db841987

Download Submit
C:\Users\Admin\AppData\Roaming\vhhg.exe
Filesize
266.6MB

MD5
b01b8de55ecbf34528c93879b8a72031

SHA1
d70b69df6aaffcda2ebc8000807276fa8f9b7cda

SHA256
6c62b3fd10dfc419f60c8dfa4a3a4fe424b587524f74fb9bf288ff2e28892509

SHA512
342e95e9bcd5039be2b53dcc3c3e8c0b9f3eb7d2e39516fe74580885dd79d339a11a12ce179a77d746dc099417301c2ca114192b881b2a8a6ca846acf0b68d09

Download Submit
memory/568-77-0x00000000012B0000-0x0000000001442000-memory.dmp

Filesize
1.6MB

Download
memory/568-75-0x0000000000000000-mapping.dmp

Download
memory/1180-84-0x0000000000000000-mapping.dmp

Download
memory/1232-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1232-82-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1232-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1232-101-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1232-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1232-65-0x00000000007E2730-mapping.dmp

Download
memory/1232-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1232-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1232-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1232-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1232-72-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1232-100-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1232-74-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1232-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1232-81-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1232-80-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1232-79-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/1680-56-0x00000000052E0000-0x0000000005456000-memory.dmp

Filesize
1.5MB

Download
memory/1680-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1680-54-0x00000000010D0000-0x0000000001262000-memory.dmp

Filesize
1.6MB

Download
memory/1688-91-0x00000000007E2730-mapping.dmp

Download
memory/1688-98-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-99-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1908-83-0x0000000000000000-mapping.dmp

Download
memory/1920-85-0x0000000000000000-mapping.dmp

Download
memory/1992-57-0x0000000000000000-mapping.dmp

Download
memory/1996-59-0x0000000000000000-mapping.dmp

Download
memory/2044-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads