bitrat | 234cad9129c3468824397de31f34b9a564f5e49f2312f057be94cae409004daf

General

Target

JO37GDDJF5_ETRANSFER_RECEIPT.exe
Size

300.0MB
MD5

9f791a0a9f76db609b44f0e3bf7bdef5
SHA1

0481f2e178c7a34b3d855e5c53553337fe2008ed
SHA256

ccd71d751bf017dee31f76eceded9aa6832f5e19b5389584d3665f76b4f0caf2
SHA512

06889bebdf092e4f1563e697e9c619a147954ffcb1f9dd9e9a9238d1410442373f95558c02e6bae6f5d832f89a46eab8b08114699f7321ce2e1150a69f1ad1ee

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

nhbyg.exenhbyg.exe

pid process

4280 nhbyg.exe
924 nhbyg.exe

pid	process
4280	nhbyg.exe
924	nhbyg.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3056-137-0x0000000000A20000-0x0000000000E04000-memory.dmp	upx
behavioral2/memory/3056-138-0x0000000000A20000-0x0000000000E04000-memory.dmp	upx
behavioral2/memory/2440-146-0x0000000000550000-0x0000000000934000-memory.dmp	upx
behavioral2/memory/2440-147-0x0000000000550000-0x0000000000934000-memory.dmp	upx
behavioral2/memory/2504-154-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2504-155-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2504-156-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2504-157-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

JO37GDDJF5_ETRANSFER_RECEIPT.exenhbyg.exenhbyg.exe

description	pid	process	target process
PID 4168 set thread context of 3056	4168	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 4280 set thread context of 2440	4280	nhbyg.exe	RegAsm.exe
PID 924 set thread context of 2504	924	nhbyg.exe	RegAsm.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3900 3056 WerFault.exe RegAsm.exe
948 2440 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2256 schtasks.exe
3804 schtasks.exe
2872 schtasks.exe

pid	pid_target	process	target process
3900	3056	WerFault.exe	RegAsm.exe
948	2440	WerFault.exe	RegAsm.exe

pid	process
2256	schtasks.exe
3804	schtasks.exe
2872	schtasks.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

JO37GDDJF5_ETRANSFER_RECEIPT.execmd.exenhbyg.execmd.exenhbyg.execmd.exe

description	pid	process	target process
PID 4168 wrote to memory of 2344	4168	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 4168 wrote to memory of 2344	4168	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 4168 wrote to memory of 2344	4168	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 2344 wrote to memory of 2256	2344	cmd.exe	schtasks.exe
PID 2344 wrote to memory of 2256	2344	cmd.exe	schtasks.exe
PID 2344 wrote to memory of 2256	2344	cmd.exe	schtasks.exe
PID 4168 wrote to memory of 1984	4168	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 4168 wrote to memory of 1984	4168	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 4168 wrote to memory of 1984	4168	JO37GDDJF5_ETRANSFER_RECEIPT.exe	cmd.exe
PID 4168 wrote to memory of 3056	4168	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 4168 wrote to memory of 3056	4168	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 4168 wrote to memory of 3056	4168	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 4168 wrote to memory of 3056	4168	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 4168 wrote to memory of 3056	4168	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 4168 wrote to memory of 3056	4168	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 4168 wrote to memory of 3056	4168	JO37GDDJF5_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 4280 wrote to memory of 3436	4280	nhbyg.exe	cmd.exe
PID 4280 wrote to memory of 3436	4280	nhbyg.exe	cmd.exe
PID 4280 wrote to memory of 3436	4280	nhbyg.exe	cmd.exe
PID 3436 wrote to memory of 3804	3436	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 3804	3436	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 3804	3436	cmd.exe	schtasks.exe
PID 4280 wrote to memory of 5088	4280	nhbyg.exe	cmd.exe
PID 4280 wrote to memory of 5088	4280	nhbyg.exe	cmd.exe
PID 4280 wrote to memory of 5088	4280	nhbyg.exe	cmd.exe
PID 4280 wrote to memory of 2440	4280	nhbyg.exe	RegAsm.exe
PID 4280 wrote to memory of 2440	4280	nhbyg.exe	RegAsm.exe
PID 4280 wrote to memory of 2440	4280	nhbyg.exe	RegAsm.exe
PID 4280 wrote to memory of 2440	4280	nhbyg.exe	RegAsm.exe
PID 4280 wrote to memory of 2440	4280	nhbyg.exe	RegAsm.exe
PID 4280 wrote to memory of 2440	4280	nhbyg.exe	RegAsm.exe
PID 4280 wrote to memory of 2440	4280	nhbyg.exe	RegAsm.exe
PID 924 wrote to memory of 1316	924	nhbyg.exe	cmd.exe
PID 924 wrote to memory of 1316	924	nhbyg.exe	cmd.exe
PID 924 wrote to memory of 1316	924	nhbyg.exe	cmd.exe
PID 1316 wrote to memory of 2872	1316	cmd.exe	schtasks.exe
PID 1316 wrote to memory of 2872	1316	cmd.exe	schtasks.exe
PID 1316 wrote to memory of 2872	1316	cmd.exe	schtasks.exe
PID 924 wrote to memory of 2892	924	nhbyg.exe	cmd.exe
PID 924 wrote to memory of 2892	924	nhbyg.exe	cmd.exe
PID 924 wrote to memory of 2892	924	nhbyg.exe	cmd.exe
PID 924 wrote to memory of 2504	924	nhbyg.exe	RegAsm.exe
PID 924 wrote to memory of 2504	924	nhbyg.exe	RegAsm.exe
PID 924 wrote to memory of 2504	924	nhbyg.exe	RegAsm.exe
PID 924 wrote to memory of 2504	924	nhbyg.exe	RegAsm.exe
PID 924 wrote to memory of 2504	924	nhbyg.exe	RegAsm.exe
PID 924 wrote to memory of 2504	924	nhbyg.exe	RegAsm.exe
PID 924 wrote to memory of 2504	924	nhbyg.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\JO37GDDJF5_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\JO37GDDJF5_ETRANSFER_RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2256

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\JO37GDDJF5_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"
2⤵
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 576
3⤵
- Program crash
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3056 -ip 3056
1⤵
PID:4440

C:\Users\Admin\AppData\Roaming\nhbyg.exe
C:\Users\Admin\AppData\Roaming\nhbyg.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3804

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\nhbyg.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"
2⤵
PID:5088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 536
3⤵
- Program crash
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2440 -ip 2440
1⤵
PID:1608

C:\Users\Admin\AppData\Roaming\nhbyg.exe
C:\Users\Admin\AppData\Roaming\nhbyg.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\nhbyg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2872

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\nhbyg.exe" "C:\Users\Admin\AppData\Roaming\nhbyg.exe"
2⤵
PID:2892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nhbyg.exe.log
Filesize
520B

MD5
41c37de2b4598f7759f865817dba5f80

SHA1
884ccf344bc2dd409425dc5ace0fd909a5f8cce4

SHA256
427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc

SHA512
a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd

Download Submit
C:\Users\Admin\AppData\Roaming\nhbyg.exe
Filesize
300.0MB

MD5
9f791a0a9f76db609b44f0e3bf7bdef5

SHA1
0481f2e178c7a34b3d855e5c53553337fe2008ed

SHA256
ccd71d751bf017dee31f76eceded9aa6832f5e19b5389584d3665f76b4f0caf2

SHA512
06889bebdf092e4f1563e697e9c619a147954ffcb1f9dd9e9a9238d1410442373f95558c02e6bae6f5d832f89a46eab8b08114699f7321ce2e1150a69f1ad1ee

Download Submit
C:\Users\Admin\AppData\Roaming\nhbyg.exe
Filesize
300.0MB

MD5
9f791a0a9f76db609b44f0e3bf7bdef5

SHA1
0481f2e178c7a34b3d855e5c53553337fe2008ed

SHA256
ccd71d751bf017dee31f76eceded9aa6832f5e19b5389584d3665f76b4f0caf2

SHA512
06889bebdf092e4f1563e697e9c619a147954ffcb1f9dd9e9a9238d1410442373f95558c02e6bae6f5d832f89a46eab8b08114699f7321ce2e1150a69f1ad1ee

Download Submit
C:\Users\Admin\AppData\Roaming\nhbyg.exe
Filesize
300.0MB

MD5
9f791a0a9f76db609b44f0e3bf7bdef5

SHA1
0481f2e178c7a34b3d855e5c53553337fe2008ed

SHA256
ccd71d751bf017dee31f76eceded9aa6832f5e19b5389584d3665f76b4f0caf2

SHA512
06889bebdf092e4f1563e697e9c619a147954ffcb1f9dd9e9a9238d1410442373f95558c02e6bae6f5d832f89a46eab8b08114699f7321ce2e1150a69f1ad1ee

Download Submit
memory/1316-150-0x0000000000000000-mapping.dmp

Download
memory/1984-134-0x0000000000000000-mapping.dmp

Download
memory/2256-132-0x0000000000000000-mapping.dmp

Download
memory/2344-131-0x0000000000000000-mapping.dmp

Download
memory/2440-144-0x0000000000000000-mapping.dmp

Download
memory/2440-146-0x0000000000550000-0x0000000000934000-memory.dmp

Filesize
3.9MB

Download
memory/2440-147-0x0000000000550000-0x0000000000934000-memory.dmp

Filesize
3.9MB

Download
memory/2504-155-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2504-154-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2504-156-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2504-157-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2504-153-0x0000000000000000-mapping.dmp

Download
memory/2872-151-0x0000000000000000-mapping.dmp

Download
memory/2892-152-0x0000000000000000-mapping.dmp

Download
memory/3056-137-0x0000000000A20000-0x0000000000E04000-memory.dmp

Filesize
3.9MB

Download
memory/3056-138-0x0000000000A20000-0x0000000000E04000-memory.dmp

Filesize
3.9MB

Download
memory/3056-135-0x0000000000000000-mapping.dmp

Download
memory/3436-141-0x0000000000000000-mapping.dmp

Download
memory/3804-142-0x0000000000000000-mapping.dmp

Download
memory/4168-130-0x0000000000D30000-0x0000000000EC4000-memory.dmp

Filesize
1.6MB

Download
memory/4168-133-0x0000000006330000-0x00000000068D4000-memory.dmp

Filesize
5.6MB

Download
memory/5088-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads