bitrat | 1fc914f89f244da1649c53034bfe96a2c7744af3d6cd85f258d9c377446f4afd

General

Target

BUD6HCGS_ETRANSFER_RECEIPT.exe
Size

200.0MB
MD5

4adbac216516812a5aaef7114bfb7113
SHA1

68e86d9070f63bb4860ba87cc6414b2dfcf47da8
SHA256

839907fe5e1d61d13e9e4242f6bb3d983b14f972f32b8cfa7f04ccb7c0e3e735
SHA512

f196da861aa55c1683e7bfb02c386eb5bcbbd27deffd46fda045d05d84109cfcd61b58d79bd6667588a1359e9b979be4c9b8b022453d71409b64c8fe5160dbd1

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 3 IoCs

Processes:

DFG.exeDFG.exeDFG.exe

pid process

3280 DFG.exe
1728 DFG.exe
4748 DFG.exe

pid	process
3280	DFG.exe
1728	DFG.exe
4748	DFG.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/116-136-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/116-137-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/116-138-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/116-139-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/116-140-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/116-144-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1728-156-0x0000000000970000-0x0000000000D54000-memory.dmp	upx
behavioral2/memory/1728-157-0x0000000000970000-0x0000000000D54000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

BUD6HCGS_ETRANSFER_RECEIPT.exe

pid process

116 BUD6HCGS_ETRANSFER_RECEIPT.exe
116 BUD6HCGS_ETRANSFER_RECEIPT.exe
116 BUD6HCGS_ETRANSFER_RECEIPT.exe
116 BUD6HCGS_ETRANSFER_RECEIPT.exe

pid	process
116	BUD6HCGS_ETRANSFER_RECEIPT.exe
116	BUD6HCGS_ETRANSFER_RECEIPT.exe
116	BUD6HCGS_ETRANSFER_RECEIPT.exe
116	BUD6HCGS_ETRANSFER_RECEIPT.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

BUD6HCGS_ETRANSFER_RECEIPT.exeDFG.exe

description	pid	process	target process
PID 2092 set thread context of 116	2092	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 3280 set thread context of 1728	3280	DFG.exe	DFG.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2632 1728 WerFault.exe DFG.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4892 schtasks.exe
2364 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

BUD6HCGS_ETRANSFER_RECEIPT.exe

description pid process

Token: SeShutdownPrivilege 116 BUD6HCGS_ETRANSFER_RECEIPT.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

BUD6HCGS_ETRANSFER_RECEIPT.exe

pid process

116 BUD6HCGS_ETRANSFER_RECEIPT.exe
116 BUD6HCGS_ETRANSFER_RECEIPT.exe

pid	pid_target	process	target process
2632	1728	WerFault.exe	DFG.exe

pid	process
4892	schtasks.exe
2364	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	116	BUD6HCGS_ETRANSFER_RECEIPT.exe

pid	process
116	BUD6HCGS_ETRANSFER_RECEIPT.exe
116	BUD6HCGS_ETRANSFER_RECEIPT.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

BUD6HCGS_ETRANSFER_RECEIPT.execmd.exeDFG.execmd.exe

description	pid	process	target process
PID 2092 wrote to memory of 5108	2092	BUD6HCGS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2092 wrote to memory of 5108	2092	BUD6HCGS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2092 wrote to memory of 5108	2092	BUD6HCGS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 5108 wrote to memory of 4892	5108	cmd.exe	schtasks.exe
PID 5108 wrote to memory of 4892	5108	cmd.exe	schtasks.exe
PID 5108 wrote to memory of 4892	5108	cmd.exe	schtasks.exe
PID 2092 wrote to memory of 400	2092	BUD6HCGS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2092 wrote to memory of 400	2092	BUD6HCGS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2092 wrote to memory of 400	2092	BUD6HCGS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2092 wrote to memory of 116	2092	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 2092 wrote to memory of 116	2092	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 2092 wrote to memory of 116	2092	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 2092 wrote to memory of 116	2092	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 2092 wrote to memory of 116	2092	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 2092 wrote to memory of 116	2092	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 2092 wrote to memory of 116	2092	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 3280 wrote to memory of 3976	3280	DFG.exe	cmd.exe
PID 3280 wrote to memory of 3976	3280	DFG.exe	cmd.exe
PID 3280 wrote to memory of 3976	3280	DFG.exe	cmd.exe
PID 3976 wrote to memory of 2364	3976	cmd.exe	schtasks.exe
PID 3976 wrote to memory of 2364	3976	cmd.exe	schtasks.exe
PID 3976 wrote to memory of 2364	3976	cmd.exe	schtasks.exe
PID 3280 wrote to memory of 2184	3280	DFG.exe	cmd.exe
PID 3280 wrote to memory of 2184	3280	DFG.exe	cmd.exe
PID 3280 wrote to memory of 2184	3280	DFG.exe	cmd.exe
PID 3280 wrote to memory of 1728	3280	DFG.exe	DFG.exe
PID 3280 wrote to memory of 1728	3280	DFG.exe	DFG.exe
PID 3280 wrote to memory of 1728	3280	DFG.exe	DFG.exe
PID 3280 wrote to memory of 1728	3280	DFG.exe	DFG.exe
PID 3280 wrote to memory of 1728	3280	DFG.exe	DFG.exe
PID 3280 wrote to memory of 1728	3280	DFG.exe	DFG.exe
PID 3280 wrote to memory of 1728	3280	DFG.exe	DFG.exe

C:\Users\Admin\AppData\Local\Temp\BUD6HCGS_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\BUD6HCGS_ETRANSFER_RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\DFG.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\DFG.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4892

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\BUD6HCGS_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\DFG.exe"
2⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\BUD6HCGS_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\BUD6HCGS_ETRANSFER_RECEIPT.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:116

C:\Users\Admin\AppData\Roaming\DFG.exe
C:\Users\Admin\AppData\Roaming\DFG.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\DFG.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\DFG.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2364

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\DFG.exe" "C:\Users\Admin\AppData\Roaming\DFG.exe"
2⤵
PID:2184

C:\Users\Admin\AppData\Roaming\DFG.exe
"C:\Users\Admin\AppData\Roaming\DFG.exe"
2⤵
- Executes dropped EXE
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 188
3⤵
- Program crash
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1728 -ip 1728
1⤵
PID:3144

C:\Users\Admin\AppData\Roaming\DFG.exe
C:\Users\Admin\AppData\Roaming\DFG.exe
1⤵
- Executes dropped EXE
PID:4748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DFG.exe.log
Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Roaming\DFG.exe
Filesize
200.0MB

MD5
4adbac216516812a5aaef7114bfb7113

SHA1
68e86d9070f63bb4860ba87cc6414b2dfcf47da8

SHA256
839907fe5e1d61d13e9e4242f6bb3d983b14f972f32b8cfa7f04ccb7c0e3e735

SHA512
f196da861aa55c1683e7bfb02c386eb5bcbbd27deffd46fda045d05d84109cfcd61b58d79bd6667588a1359e9b979be4c9b8b022453d71409b64c8fe5160dbd1

Download Submit
C:\Users\Admin\AppData\Roaming\DFG.exe
Filesize
200.0MB

MD5
4adbac216516812a5aaef7114bfb7113

SHA1
68e86d9070f63bb4860ba87cc6414b2dfcf47da8

SHA256
839907fe5e1d61d13e9e4242f6bb3d983b14f972f32b8cfa7f04ccb7c0e3e735

SHA512
f196da861aa55c1683e7bfb02c386eb5bcbbd27deffd46fda045d05d84109cfcd61b58d79bd6667588a1359e9b979be4c9b8b022453d71409b64c8fe5160dbd1

Download Submit
C:\Users\Admin\AppData\Roaming\DFG.exe
Filesize
200.0MB

MD5
4adbac216516812a5aaef7114bfb7113

SHA1
68e86d9070f63bb4860ba87cc6414b2dfcf47da8

SHA256
839907fe5e1d61d13e9e4242f6bb3d983b14f972f32b8cfa7f04ccb7c0e3e735

SHA512
f196da861aa55c1683e7bfb02c386eb5bcbbd27deffd46fda045d05d84109cfcd61b58d79bd6667588a1359e9b979be4c9b8b022453d71409b64c8fe5160dbd1

Download Submit
C:\Users\Admin\AppData\Roaming\DFG.exe
Filesize
200.0MB

MD5
4adbac216516812a5aaef7114bfb7113

SHA1
68e86d9070f63bb4860ba87cc6414b2dfcf47da8

SHA256
839907fe5e1d61d13e9e4242f6bb3d983b14f972f32b8cfa7f04ccb7c0e3e735

SHA512
f196da861aa55c1683e7bfb02c386eb5bcbbd27deffd46fda045d05d84109cfcd61b58d79bd6667588a1359e9b979be4c9b8b022453d71409b64c8fe5160dbd1

Download Submit
memory/116-148-0x0000000074C60000-0x0000000074C99000-memory.dmp

Filesize
228KB

Download
memory/116-158-0x0000000074FC0000-0x0000000074FF9000-memory.dmp

Filesize
228KB

Download
memory/116-137-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/116-138-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/116-139-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/116-140-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/116-141-0x0000000074C20000-0x0000000074C59000-memory.dmp

Filesize
228KB

Download
memory/116-142-0x0000000074FC0000-0x0000000074FF9000-memory.dmp

Filesize
228KB

Download
memory/116-143-0x0000000074FC0000-0x0000000074FF9000-memory.dmp

Filesize
228KB

Download
memory/116-144-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/116-145-0x0000000074FC0000-0x0000000074FF9000-memory.dmp

Filesize
228KB

Download
memory/116-135-0x0000000000000000-mapping.dmp

Download
memory/116-166-0x0000000074D00000-0x0000000074D39000-memory.dmp

Filesize
228KB

Download
memory/116-165-0x0000000074FC0000-0x0000000074FF9000-memory.dmp

Filesize
228KB

Download
memory/116-149-0x0000000074C60000-0x0000000074C99000-memory.dmp

Filesize
228KB

Download
memory/116-164-0x0000000074D00000-0x0000000074D39000-memory.dmp

Filesize
228KB

Download
memory/116-161-0x0000000074FC0000-0x0000000074FF9000-memory.dmp

Filesize
228KB

Download
memory/116-160-0x0000000074FC0000-0x0000000074FF9000-memory.dmp

Filesize
228KB

Download
memory/116-159-0x0000000074C20000-0x0000000074C59000-memory.dmp

Filesize
228KB

Download
memory/116-136-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/400-134-0x0000000000000000-mapping.dmp

Download
memory/1728-156-0x0000000000970000-0x0000000000D54000-memory.dmp

Filesize
3.9MB

Download
memory/1728-157-0x0000000000970000-0x0000000000D54000-memory.dmp

Filesize
3.9MB

Download
memory/1728-153-0x0000000000000000-mapping.dmp

Download
memory/2092-131-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/2092-130-0x0000000000C70000-0x0000000000E00000-memory.dmp

Filesize
1.6MB

Download
memory/2184-152-0x0000000000000000-mapping.dmp

Download
memory/2364-151-0x0000000000000000-mapping.dmp

Download
memory/3976-150-0x0000000000000000-mapping.dmp

Download
memory/4892-133-0x0000000000000000-mapping.dmp

Download
memory/5108-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads