bitrat | 859246ff173ff4ff68c9c761a21aa9944c7c2dba5cd882d9309d845355895631

General

Target

D7M39A87SH3-ETRANSFER-RECEIPT.exe
Size

300.0MB
MD5

edd26deecff12183dc818957f18b866a
SHA1

7e4fc7d57f7502ad210ceafbe294716981585281
SHA256

0b6306bc128b16b99cee0d04e4427bc0b5dbe32b2386fc4800cf42c9f42ed3b3
SHA512

b86225d429f244077f1a4313318e034320da2091a02a8064065b2fbd290eaa5285adfe90a161886f6a13dcba996f536da6758da78cf54ec01c900369db841987

Score

10^/10

bitrat suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata
Executes dropped EXE 2 IoCs

Processes:

vhhg.exevhhg.exe

pid process

4368 vhhg.exe
1112 vhhg.exe

pid	process
4368	vhhg.exe
1112	vhhg.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4404-136-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4404-137-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4404-138-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4404-139-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4404-140-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4404-143-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1356-152-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx
behavioral2/memory/1356-153-0x0000000000700000-0x0000000000AE4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegAsm.exe

pid process

4404 RegAsm.exe
4404 RegAsm.exe
4404 RegAsm.exe
4404 RegAsm.exe
4404 RegAsm.exe

pid	process
4404	RegAsm.exe
4404	RegAsm.exe
4404	RegAsm.exe
4404	RegAsm.exe
4404	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

D7M39A87SH3-ETRANSFER-RECEIPT.exevhhg.exe

description	pid	process	target process
PID 3792 set thread context of 4404	3792	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 4368 set thread context of 1356	4368	vhhg.exe	RegAsm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2064 1356 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4528 schtasks.exe
3856 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeShutdownPrivilege 4404 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

4404 RegAsm.exe
4404 RegAsm.exe

pid	pid_target	process	target process
2064	1356	WerFault.exe	RegAsm.exe

pid	process
4528	schtasks.exe
3856	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	4404	RegAsm.exe

pid	process
4404	RegAsm.exe
4404	RegAsm.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

D7M39A87SH3-ETRANSFER-RECEIPT.execmd.exevhhg.execmd.exevhhg.exe

description	pid	process	target process
PID 3792 wrote to memory of 396	3792	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 3792 wrote to memory of 396	3792	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 3792 wrote to memory of 396	3792	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 396 wrote to memory of 4528	396	cmd.exe	schtasks.exe
PID 396 wrote to memory of 4528	396	cmd.exe	schtasks.exe
PID 396 wrote to memory of 4528	396	cmd.exe	schtasks.exe
PID 3792 wrote to memory of 4420	3792	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 3792 wrote to memory of 4420	3792	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 3792 wrote to memory of 4420	3792	D7M39A87SH3-ETRANSFER-RECEIPT.exe	cmd.exe
PID 3792 wrote to memory of 4404	3792	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 3792 wrote to memory of 4404	3792	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 3792 wrote to memory of 4404	3792	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 3792 wrote to memory of 4404	3792	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 3792 wrote to memory of 4404	3792	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 3792 wrote to memory of 4404	3792	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 3792 wrote to memory of 4404	3792	D7M39A87SH3-ETRANSFER-RECEIPT.exe	RegAsm.exe
PID 4368 wrote to memory of 2012	4368	vhhg.exe	cmd.exe
PID 4368 wrote to memory of 2012	4368	vhhg.exe	cmd.exe
PID 4368 wrote to memory of 2012	4368	vhhg.exe	cmd.exe
PID 2012 wrote to memory of 3856	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 3856	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 3856	2012	cmd.exe	schtasks.exe
PID 4368 wrote to memory of 3788	4368	vhhg.exe	cmd.exe
PID 4368 wrote to memory of 3788	4368	vhhg.exe	cmd.exe
PID 4368 wrote to memory of 3788	4368	vhhg.exe	cmd.exe
PID 4368 wrote to memory of 1356	4368	vhhg.exe	RegAsm.exe
PID 4368 wrote to memory of 1356	4368	vhhg.exe	RegAsm.exe
PID 4368 wrote to memory of 1356	4368	vhhg.exe	RegAsm.exe
PID 4368 wrote to memory of 1356	4368	vhhg.exe	RegAsm.exe
PID 4368 wrote to memory of 1356	4368	vhhg.exe	RegAsm.exe
PID 4368 wrote to memory of 1356	4368	vhhg.exe	RegAsm.exe
PID 4368 wrote to memory of 1356	4368	vhhg.exe	RegAsm.exe
PID 1112 wrote to memory of 2468	1112	vhhg.exe	cmd.exe
PID 1112 wrote to memory of 2468	1112	vhhg.exe	cmd.exe
PID 1112 wrote to memory of 2468	1112	vhhg.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\D7M39A87SH3-ETRANSFER-RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\D7M39A87SH3-ETRANSFER-RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4528

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\D7M39A87SH3-ETRANSFER-RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\vhhg.exe"
2⤵
PID:4420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4404

C:\Users\Admin\AppData\Roaming\vhhg.exe
C:\Users\Admin\AppData\Roaming\vhhg.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3856

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\vhhg.exe" "C:\Users\Admin\AppData\Roaming\vhhg.exe"
2⤵
PID:3788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 540
3⤵
- Program crash
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1356 -ip 1356
1⤵
PID:1560

C:\Users\Admin\AppData\Roaming\vhhg.exe
C:\Users\Admin\AppData\Roaming\vhhg.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\vhhg.exe'" /f
2⤵
PID:2468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vhhg.exe.log
Filesize
520B

MD5
41c37de2b4598f7759f865817dba5f80

SHA1
884ccf344bc2dd409425dc5ace0fd909a5f8cce4

SHA256
427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc

SHA512
a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd

Download Submit
C:\Users\Admin\AppData\Roaming\vhhg.exe
Filesize
300.0MB

MD5
edd26deecff12183dc818957f18b866a

SHA1
7e4fc7d57f7502ad210ceafbe294716981585281

SHA256
0b6306bc128b16b99cee0d04e4427bc0b5dbe32b2386fc4800cf42c9f42ed3b3

SHA512
b86225d429f244077f1a4313318e034320da2091a02a8064065b2fbd290eaa5285adfe90a161886f6a13dcba996f536da6758da78cf54ec01c900369db841987

Download Submit
C:\Users\Admin\AppData\Roaming\vhhg.exe
Filesize
300.0MB

MD5
edd26deecff12183dc818957f18b866a

SHA1
7e4fc7d57f7502ad210ceafbe294716981585281

SHA256
0b6306bc128b16b99cee0d04e4427bc0b5dbe32b2386fc4800cf42c9f42ed3b3

SHA512
b86225d429f244077f1a4313318e034320da2091a02a8064065b2fbd290eaa5285adfe90a161886f6a13dcba996f536da6758da78cf54ec01c900369db841987

Download Submit
C:\Users\Admin\AppData\Roaming\vhhg.exe
Filesize
113.7MB

MD5
1e532e3b7618ace7c51461499ae3bf43

SHA1
82f2ae5480e6eb1f1088681ee50d79e57bb3a0ea

SHA256
c59add524b8ba156fed88696cd9c9dc93f984a2e4426dfde355d4579e65af349

SHA512
37b4828c8af254d49ee0673213f8e650d9d2c6f3f259aeb117521c4bae8e9628e8d2b60d9d75d938408aa2f84e694b34df9e5bf32f6daffe68d57dfd1bf1d2e1

Download Submit
memory/396-131-0x0000000000000000-mapping.dmp

Download
memory/1356-152-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/1356-153-0x0000000000700000-0x0000000000AE4000-memory.dmp

Filesize
3.9MB

Download
memory/1356-150-0x0000000000000000-mapping.dmp

Download
memory/2012-147-0x0000000000000000-mapping.dmp

Download
memory/2468-160-0x0000000000000000-mapping.dmp

Download
memory/3788-149-0x0000000000000000-mapping.dmp

Download
memory/3792-133-0x0000000005FA0000-0x0000000006544000-memory.dmp

Filesize
5.6MB

Download
memory/3792-130-0x00000000009A0000-0x0000000000B32000-memory.dmp

Filesize
1.6MB

Download
memory/3856-148-0x0000000000000000-mapping.dmp

Download
memory/4404-139-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4404-136-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4404-135-0x0000000000000000-mapping.dmp

Download
memory/4404-143-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4404-154-0x0000000075080000-0x00000000750B9000-memory.dmp

Filesize
228KB

Download
memory/4404-142-0x0000000075480000-0x00000000754B9000-memory.dmp

Filesize
228KB

Download
memory/4404-141-0x00000000750E0000-0x0000000075119000-memory.dmp

Filesize
228KB

Download
memory/4404-138-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4404-146-0x00000000751A0000-0x00000000751D9000-memory.dmp

Filesize
228KB

Download
memory/4404-161-0x00000000751A0000-0x00000000751D9000-memory.dmp

Filesize
228KB

Download
memory/4404-140-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4404-137-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4404-157-0x00000000750E0000-0x0000000075119000-memory.dmp

Filesize
228KB

Download
memory/4404-158-0x0000000075480000-0x00000000754B9000-memory.dmp

Filesize
228KB

Download
memory/4404-159-0x00000000751A0000-0x00000000751D9000-memory.dmp

Filesize
228KB

Download
memory/4420-134-0x0000000000000000-mapping.dmp

Download
memory/4528-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads