bitrat | e0f298edfbcb95ec248fb23a3eefb54886e882371e0f28abfabaf1e00e73b9ef

General

Target

VAMSKIDH_INVOICE.exe
Size

200.0MB
MD5

cf46eb85c503955b25cb4b2ab6051357
SHA1

dcfc790d0c190ba754e97d86ee9b9fad6e2ae079
SHA256

a19a136b09c11bb722d6aec359d0cd517a38c87b9f34ec82ed6c4adf6884b41f
SHA512

3ce4f1acddd9a9b0db87b93c8af2b0df21f36b58fb47bb053c5ec1782b7bea7e161016f8bc3ba3388db7511ec146a26ceba894c4032b7e79708a3a5280ddd1b2

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9400.duckdns.org:9400

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

casr.execasr.exe

pid process

1000 casr.exe
640 casr.exe

pid	process
1000	casr.exe
640	casr.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/936-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/936-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/936-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/936-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/936-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/936-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/936-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/936-72-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/936-73-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/960-94-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/960-95-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegAsm.exeRegAsm.exe

pid process

936 RegAsm.exe
936 RegAsm.exe
936 RegAsm.exe
936 RegAsm.exe
960 RegAsm.exe

pid	process
936	RegAsm.exe
936	RegAsm.exe
936	RegAsm.exe
936	RegAsm.exe
960	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VAMSKIDH_INVOICE.execasr.exe

description	pid	process	target process
PID 1452 set thread context of 936	1452	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 1000 set thread context of 960	1000	casr.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

740 schtasks.exe
848 schtasks.exe
NTFS ADS 1 IoCs

Processes:

RegAsm.exe

description ioc process

File created C:\Users\Admin\AppData\Local:21-06-2022 RegAsm.exe

pid	process
740	schtasks.exe
848	schtasks.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local:21-06-2022	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	936	RegAsm.exe
Token: SeShutdownPrivilege	936	RegAsm.exe
Token: SeDebugPrivilege	960	RegAsm.exe
Token: SeShutdownPrivilege	960	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

936 RegAsm.exe
936 RegAsm.exe

pid	process
936	RegAsm.exe
936	RegAsm.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

VAMSKIDH_INVOICE.execmd.exetaskeng.execasr.execmd.exe

description	pid	process	target process
PID 1452 wrote to memory of 1636	1452	VAMSKIDH_INVOICE.exe	cmd.exe
PID 1452 wrote to memory of 1636	1452	VAMSKIDH_INVOICE.exe	cmd.exe
PID 1452 wrote to memory of 1636	1452	VAMSKIDH_INVOICE.exe	cmd.exe
PID 1452 wrote to memory of 1636	1452	VAMSKIDH_INVOICE.exe	cmd.exe
PID 1636 wrote to memory of 740	1636	cmd.exe	schtasks.exe
PID 1636 wrote to memory of 740	1636	cmd.exe	schtasks.exe
PID 1636 wrote to memory of 740	1636	cmd.exe	schtasks.exe
PID 1636 wrote to memory of 740	1636	cmd.exe	schtasks.exe
PID 1452 wrote to memory of 940	1452	VAMSKIDH_INVOICE.exe	cmd.exe
PID 1452 wrote to memory of 940	1452	VAMSKIDH_INVOICE.exe	cmd.exe
PID 1452 wrote to memory of 940	1452	VAMSKIDH_INVOICE.exe	cmd.exe
PID 1452 wrote to memory of 940	1452	VAMSKIDH_INVOICE.exe	cmd.exe
PID 1452 wrote to memory of 936	1452	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 1452 wrote to memory of 936	1452	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 852 wrote to memory of 1000	852	taskeng.exe	casr.exe
PID 852 wrote to memory of 1000	852	taskeng.exe	casr.exe
PID 852 wrote to memory of 1000	852	taskeng.exe	casr.exe
PID 852 wrote to memory of 1000	852	taskeng.exe	casr.exe
PID 1000 wrote to memory of 1760	1000	casr.exe	cmd.exe
PID 1000 wrote to memory of 1760	1000	casr.exe	cmd.exe
PID 1000 wrote to memory of 1760	1000	casr.exe	cmd.exe
PID 1000 wrote to memory of 1760	1000	casr.exe	cmd.exe
PID 1760 wrote to memory of 848	1760	cmd.exe	schtasks.exe
PID 1760 wrote to memory of 848	1760	cmd.exe	schtasks.exe
PID 1760 wrote to memory of 848	1760	cmd.exe	schtasks.exe
PID 1760 wrote to memory of 848	1760	cmd.exe	schtasks.exe
PID 1000 wrote to memory of 1368	1000	casr.exe	cmd.exe
PID 1000 wrote to memory of 1368	1000	casr.exe	cmd.exe
PID 1000 wrote to memory of 1368	1000	casr.exe	cmd.exe
PID 1000 wrote to memory of 1368	1000	casr.exe	cmd.exe
PID 1000 wrote to memory of 960	1000	casr.exe	RegAsm.exe
PID 1000 wrote to memory of 960	1000	casr.exe	RegAsm.exe
PID 1000 wrote to memory of 960	1000	casr.exe	RegAsm.exe
PID 1000 wrote to memory of 960	1000	casr.exe	RegAsm.exe
PID 1000 wrote to memory of 960	1000	casr.exe	RegAsm.exe
PID 1000 wrote to memory of 960	1000	casr.exe	RegAsm.exe
PID 1000 wrote to memory of 960	1000	casr.exe	RegAsm.exe
PID 1000 wrote to memory of 960	1000	casr.exe	RegAsm.exe
PID 1000 wrote to memory of 960	1000	casr.exe	RegAsm.exe
PID 1000 wrote to memory of 960	1000	casr.exe	RegAsm.exe
PID 1000 wrote to memory of 960	1000	casr.exe	RegAsm.exe
PID 852 wrote to memory of 640	852	taskeng.exe	casr.exe
PID 852 wrote to memory of 640	852	taskeng.exe	casr.exe
PID 852 wrote to memory of 640	852	taskeng.exe	casr.exe
PID 852 wrote to memory of 640	852	taskeng.exe	casr.exe

C:\Users\Admin\AppData\Local\Temp\VAMSKIDH_INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\VAMSKIDH_INVOICE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:740

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\VAMSKIDH_INVOICE.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:936

C:\Windows\system32\taskeng.exe
taskeng.exe {2179B07D-C19B-47CC-B64B-9FAF373AB4FA} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:848

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
3⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
2⤵
- Executes dropped EXE
PID:640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
200.0MB

MD5
cf46eb85c503955b25cb4b2ab6051357

SHA1
dcfc790d0c190ba754e97d86ee9b9fad6e2ae079

SHA256
a19a136b09c11bb722d6aec359d0cd517a38c87b9f34ec82ed6c4adf6884b41f

SHA512
3ce4f1acddd9a9b0db87b93c8af2b0df21f36b58fb47bb053c5ec1782b7bea7e161016f8bc3ba3388db7511ec146a26ceba894c4032b7e79708a3a5280ddd1b2

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
200.0MB

MD5
cf46eb85c503955b25cb4b2ab6051357

SHA1
dcfc790d0c190ba754e97d86ee9b9fad6e2ae079

SHA256
a19a136b09c11bb722d6aec359d0cd517a38c87b9f34ec82ed6c4adf6884b41f

SHA512
3ce4f1acddd9a9b0db87b93c8af2b0df21f36b58fb47bb053c5ec1782b7bea7e161016f8bc3ba3388db7511ec146a26ceba894c4032b7e79708a3a5280ddd1b2

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
200.0MB

MD5
cf46eb85c503955b25cb4b2ab6051357

SHA1
dcfc790d0c190ba754e97d86ee9b9fad6e2ae079

SHA256
a19a136b09c11bb722d6aec359d0cd517a38c87b9f34ec82ed6c4adf6884b41f

SHA512
3ce4f1acddd9a9b0db87b93c8af2b0df21f36b58fb47bb053c5ec1782b7bea7e161016f8bc3ba3388db7511ec146a26ceba894c4032b7e79708a3a5280ddd1b2

Download Submit
memory/640-98-0x0000000000C50000-0x0000000000DE4000-memory.dmp

Filesize
1.6MB

Download
memory/640-96-0x0000000000000000-mapping.dmp

Download
memory/740-58-0x0000000000000000-mapping.dmp

Download
memory/848-80-0x0000000000000000-mapping.dmp

Download
memory/936-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/936-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/936-65-0x00000000007E2740-mapping.dmp

Download
memory/936-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/936-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/936-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/936-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/936-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/936-72-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/936-73-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/936-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/940-59-0x0000000000000000-mapping.dmp

Download
memory/960-95-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/960-94-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/960-87-0x00000000007E2740-mapping.dmp

Download
memory/1000-75-0x0000000000000000-mapping.dmp

Download
memory/1000-77-0x0000000000C50000-0x0000000000DE4000-memory.dmp

Filesize
1.6MB

Download
memory/1368-81-0x0000000000000000-mapping.dmp

Download
memory/1452-54-0x00000000001C0000-0x0000000000354000-memory.dmp

Filesize
1.6MB

Download
memory/1452-56-0x0000000005420000-0x0000000005596000-memory.dmp

Filesize
1.5MB

Download
memory/1452-55-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1636-57-0x0000000000000000-mapping.dmp

Download
memory/1760-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads