bitrat | cf6d98bae753d07d6f8050ee48038f2969fa60b58d86c27a99330427b7c1b9ef

General

Target

BUD6HCGS_ETRANSFER_RECEIPT.exe
Size

200.0MB
MD5

4adbac216516812a5aaef7114bfb7113
SHA1

68e86d9070f63bb4860ba87cc6414b2dfcf47da8
SHA256

839907fe5e1d61d13e9e4242f6bb3d983b14f972f32b8cfa7f04ccb7c0e3e735
SHA512

f196da861aa55c1683e7bfb02c386eb5bcbbd27deffd46fda045d05d84109cfcd61b58d79bd6667588a1359e9b979be4c9b8b022453d71409b64c8fe5160dbd1

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 4 IoCs

Processes:

DFG.exeDFG.exeDFG.exeDFG.exe

pid process

288 DFG.exe
1760 DFG.exe
1092 DFG.exe
1180 DFG.exe

pid	process
288	DFG.exe
1760	DFG.exe
1092	DFG.exe
1180	DFG.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1480-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1480-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1480-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1480-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1480-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1480-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1480-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1480-74-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1760-87-0x0000000000430000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/1760-86-0x0000000000430000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/1760-90-0x0000000000430000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/1760-91-0x0000000000430000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/1180-106-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/1180-107-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/1180-110-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/1180-111-0x0000000000460000-0x0000000000844000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

BUD6HCGS_ETRANSFER_RECEIPT.exeDFG.exeDFG.exe

pid	process
1480	BUD6HCGS_ETRANSFER_RECEIPT.exe
1480	BUD6HCGS_ETRANSFER_RECEIPT.exe
1480	BUD6HCGS_ETRANSFER_RECEIPT.exe
1480	BUD6HCGS_ETRANSFER_RECEIPT.exe
1760	DFG.exe
1180	DFG.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

BUD6HCGS_ETRANSFER_RECEIPT.exeDFG.exeDFG.exe

description	pid	process	target process
PID 2036 set thread context of 1480	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 288 set thread context of 1760	288	DFG.exe	DFG.exe
PID 1092 set thread context of 1180	1092	DFG.exe	DFG.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1704 schtasks.exe
1112 schtasks.exe
1224 schtasks.exe
NTFS ADS 1 IoCs

Processes:

BUD6HCGS_ETRANSFER_RECEIPT.exe

description ioc process

File created C:\Users\Admin\AppData\Local:17-06-2022 BUD6HCGS_ETRANSFER_RECEIPT.exe

pid	process
1704	schtasks.exe
1112	schtasks.exe
1224	schtasks.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local:17-06-2022	BUD6HCGS_ETRANSFER_RECEIPT.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

BUD6HCGS_ETRANSFER_RECEIPT.exeDFG.exeDFG.exe

description	pid	process
Token: SeDebugPrivilege	1480	BUD6HCGS_ETRANSFER_RECEIPT.exe
Token: SeShutdownPrivilege	1480	BUD6HCGS_ETRANSFER_RECEIPT.exe
Token: SeDebugPrivilege	1760	DFG.exe
Token: SeShutdownPrivilege	1760	DFG.exe
Token: SeDebugPrivilege	1180	DFG.exe
Token: SeShutdownPrivilege	1180	DFG.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

BUD6HCGS_ETRANSFER_RECEIPT.exe

pid process

1480 BUD6HCGS_ETRANSFER_RECEIPT.exe
1480 BUD6HCGS_ETRANSFER_RECEIPT.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BUD6HCGS_ETRANSFER_RECEIPT.execmd.exetaskeng.exeDFG.execmd.exeDFG.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 924	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2036 wrote to memory of 924	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2036 wrote to memory of 924	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2036 wrote to memory of 924	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 924 wrote to memory of 1704	924	cmd.exe	schtasks.exe
PID 924 wrote to memory of 1704	924	cmd.exe	schtasks.exe
PID 924 wrote to memory of 1704	924	cmd.exe	schtasks.exe
PID 924 wrote to memory of 1704	924	cmd.exe	schtasks.exe
PID 2036 wrote to memory of 1664	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2036 wrote to memory of 1664	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2036 wrote to memory of 1664	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2036 wrote to memory of 1664	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2036 wrote to memory of 1480	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 2036 wrote to memory of 1480	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 2036 wrote to memory of 1480	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 2036 wrote to memory of 1480	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 2036 wrote to memory of 1480	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 2036 wrote to memory of 1480	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 2036 wrote to memory of 1480	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 2036 wrote to memory of 1480	2036	BUD6HCGS_ETRANSFER_RECEIPT.exe	BUD6HCGS_ETRANSFER_RECEIPT.exe
PID 700 wrote to memory of 288	700	taskeng.exe	DFG.exe
PID 700 wrote to memory of 288	700	taskeng.exe	DFG.exe
PID 700 wrote to memory of 288	700	taskeng.exe	DFG.exe
PID 700 wrote to memory of 288	700	taskeng.exe	DFG.exe
PID 288 wrote to memory of 1276	288	DFG.exe	cmd.exe
PID 288 wrote to memory of 1276	288	DFG.exe	cmd.exe
PID 288 wrote to memory of 1276	288	DFG.exe	cmd.exe
PID 288 wrote to memory of 1276	288	DFG.exe	cmd.exe
PID 1276 wrote to memory of 1112	1276	cmd.exe	schtasks.exe
PID 1276 wrote to memory of 1112	1276	cmd.exe	schtasks.exe
PID 1276 wrote to memory of 1112	1276	cmd.exe	schtasks.exe
PID 1276 wrote to memory of 1112	1276	cmd.exe	schtasks.exe
PID 288 wrote to memory of 1444	288	DFG.exe	cmd.exe
PID 288 wrote to memory of 1444	288	DFG.exe	cmd.exe
PID 288 wrote to memory of 1444	288	DFG.exe	cmd.exe
PID 288 wrote to memory of 1444	288	DFG.exe	cmd.exe
PID 288 wrote to memory of 1760	288	DFG.exe	DFG.exe
PID 288 wrote to memory of 1760	288	DFG.exe	DFG.exe
PID 288 wrote to memory of 1760	288	DFG.exe	DFG.exe
PID 288 wrote to memory of 1760	288	DFG.exe	DFG.exe
PID 288 wrote to memory of 1760	288	DFG.exe	DFG.exe
PID 288 wrote to memory of 1760	288	DFG.exe	DFG.exe
PID 288 wrote to memory of 1760	288	DFG.exe	DFG.exe
PID 288 wrote to memory of 1760	288	DFG.exe	DFG.exe
PID 700 wrote to memory of 1092	700	taskeng.exe	DFG.exe
PID 700 wrote to memory of 1092	700	taskeng.exe	DFG.exe
PID 700 wrote to memory of 1092	700	taskeng.exe	DFG.exe
PID 700 wrote to memory of 1092	700	taskeng.exe	DFG.exe
PID 1092 wrote to memory of 2020	1092	DFG.exe	cmd.exe
PID 1092 wrote to memory of 2020	1092	DFG.exe	cmd.exe
PID 1092 wrote to memory of 2020	1092	DFG.exe	cmd.exe
PID 1092 wrote to memory of 2020	1092	DFG.exe	cmd.exe
PID 2020 wrote to memory of 1224	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1224	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1224	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1224	2020	cmd.exe	schtasks.exe
PID 1092 wrote to memory of 1580	1092	DFG.exe	cmd.exe
PID 1092 wrote to memory of 1580	1092	DFG.exe	cmd.exe
PID 1092 wrote to memory of 1580	1092	DFG.exe	cmd.exe
PID 1092 wrote to memory of 1580	1092	DFG.exe	cmd.exe
PID 1092 wrote to memory of 1180	1092	DFG.exe	DFG.exe
PID 1092 wrote to memory of 1180	1092	DFG.exe	DFG.exe
PID 1092 wrote to memory of 1180	1092	DFG.exe	DFG.exe
PID 1092 wrote to memory of 1180	1092	DFG.exe	DFG.exe

C:\Users\Admin\AppData\Local\Temp\BUD6HCGS_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\BUD6HCGS_ETRANSFER_RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\DFG.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\DFG.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1704

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\BUD6HCGS_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\DFG.exe"
2⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\BUD6HCGS_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\BUD6HCGS_ETRANSFER_RECEIPT.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Windows\system32\taskeng.exe
taskeng.exe {A77D036A-8F71-4954-A413-9327DA852DE6} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Roaming\DFG.exe
C:\Users\Admin\AppData\Roaming\DFG.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\DFG.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\DFG.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1112

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\DFG.exe" "C:\Users\Admin\AppData\Roaming\DFG.exe"
3⤵
PID:1444

C:\Users\Admin\AppData\Roaming\DFG.exe
"C:\Users\Admin\AppData\Roaming\DFG.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Users\Admin\AppData\Roaming\DFG.exe
C:\Users\Admin\AppData\Roaming\DFG.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\DFG.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\DFG.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1224

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\DFG.exe" "C:\Users\Admin\AppData\Roaming\DFG.exe"
3⤵
PID:1580

C:\Users\Admin\AppData\Roaming\DFG.exe
"C:\Users\Admin\AppData\Roaming\DFG.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DFG.exe

Filesize
200.0MB

MD5
4adbac216516812a5aaef7114bfb7113

SHA1
68e86d9070f63bb4860ba87cc6414b2dfcf47da8

SHA256
839907fe5e1d61d13e9e4242f6bb3d983b14f972f32b8cfa7f04ccb7c0e3e735

SHA512
f196da861aa55c1683e7bfb02c386eb5bcbbd27deffd46fda045d05d84109cfcd61b58d79bd6667588a1359e9b979be4c9b8b022453d71409b64c8fe5160dbd1

Download Submit
C:\Users\Admin\AppData\Roaming\DFG.exe

Filesize
200.0MB

MD5
4adbac216516812a5aaef7114bfb7113

SHA1
68e86d9070f63bb4860ba87cc6414b2dfcf47da8

SHA256
839907fe5e1d61d13e9e4242f6bb3d983b14f972f32b8cfa7f04ccb7c0e3e735

SHA512
f196da861aa55c1683e7bfb02c386eb5bcbbd27deffd46fda045d05d84109cfcd61b58d79bd6667588a1359e9b979be4c9b8b022453d71409b64c8fe5160dbd1

Download Submit
C:\Users\Admin\AppData\Roaming\DFG.exe

Filesize
200.0MB

MD5
4adbac216516812a5aaef7114bfb7113

SHA1
68e86d9070f63bb4860ba87cc6414b2dfcf47da8

SHA256
839907fe5e1d61d13e9e4242f6bb3d983b14f972f32b8cfa7f04ccb7c0e3e735

SHA512
f196da861aa55c1683e7bfb02c386eb5bcbbd27deffd46fda045d05d84109cfcd61b58d79bd6667588a1359e9b979be4c9b8b022453d71409b64c8fe5160dbd1

Download Submit
C:\Users\Admin\AppData\Roaming\DFG.exe

Filesize
200.0MB

MD5
4adbac216516812a5aaef7114bfb7113

SHA1
68e86d9070f63bb4860ba87cc6414b2dfcf47da8

SHA256
839907fe5e1d61d13e9e4242f6bb3d983b14f972f32b8cfa7f04ccb7c0e3e735

SHA512
f196da861aa55c1683e7bfb02c386eb5bcbbd27deffd46fda045d05d84109cfcd61b58d79bd6667588a1359e9b979be4c9b8b022453d71409b64c8fe5160dbd1

Download Submit
C:\Users\Admin\AppData\Roaming\DFG.exe

Filesize
200.0MB

MD5
4adbac216516812a5aaef7114bfb7113

SHA1
68e86d9070f63bb4860ba87cc6414b2dfcf47da8

SHA256
839907fe5e1d61d13e9e4242f6bb3d983b14f972f32b8cfa7f04ccb7c0e3e735

SHA512
f196da861aa55c1683e7bfb02c386eb5bcbbd27deffd46fda045d05d84109cfcd61b58d79bd6667588a1359e9b979be4c9b8b022453d71409b64c8fe5160dbd1

Download Submit
memory/288-71-0x0000000000000000-mapping.dmp

Download
memory/288-73-0x00000000002A0000-0x0000000000430000-memory.dmp

Filesize
1.6MB

Download
memory/924-56-0x0000000000000000-mapping.dmp

Download
memory/1092-94-0x00000000013E0000-0x0000000001570000-memory.dmp

Filesize
1.6MB

Download
memory/1092-92-0x0000000000000000-mapping.dmp

Download
memory/1112-77-0x0000000000000000-mapping.dmp

Download
memory/1180-111-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/1180-110-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/1180-107-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/1180-106-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/1180-104-0x00000000007E2730-mapping.dmp

Download
memory/1224-97-0x0000000000000000-mapping.dmp

Download
memory/1276-76-0x0000000000000000-mapping.dmp

Download
memory/1444-78-0x0000000000000000-mapping.dmp

Download
memory/1480-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1480-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1480-74-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1480-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1480-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1480-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1480-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1480-64-0x00000000007E2730-mapping.dmp

Download
memory/1480-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1480-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1580-98-0x0000000000000000-mapping.dmp

Download
memory/1664-58-0x0000000000000000-mapping.dmp

Download
memory/1704-57-0x0000000000000000-mapping.dmp

Download
memory/1760-91-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download
memory/1760-90-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download
memory/1760-84-0x00000000007E2730-mapping.dmp

Download
memory/1760-86-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download
memory/1760-87-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download
memory/1760-80-0x00000000006A2000-0x0000000000813000-memory.dmp

Filesize
1.4MB

Download
memory/2020-96-0x0000000000000000-mapping.dmp

Download
memory/2036-54-0x0000000001300000-0x0000000001490000-memory.dmp

Filesize
1.6MB

Download
memory/2036-55-0x0000000075C01000-0x0000000075C03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads