bitrat | e0f298edfbcb95ec248fb23a3eefb54886e882371e0f28abfabaf1e00e73b9ef

General

Target

VAMSKIDH_INVOICE.exe
Size

200.0MB
MD5

cf46eb85c503955b25cb4b2ab6051357
SHA1

dcfc790d0c190ba754e97d86ee9b9fad6e2ae079
SHA256

a19a136b09c11bb722d6aec359d0cd517a38c87b9f34ec82ed6c4adf6884b41f
SHA512

3ce4f1acddd9a9b0db87b93c8af2b0df21f36b58fb47bb053c5ec1782b7bea7e161016f8bc3ba3388db7511ec146a26ceba894c4032b7e79708a3a5280ddd1b2

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9400.duckdns.org:9400

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

casr.execasr.exe

pid process

3104 casr.exe
3972 casr.exe

pid	process
3104	casr.exe
3972	casr.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4164-137-0x0000000000B90000-0x0000000000F74000-memory.dmp	upx
behavioral2/memory/4164-138-0x0000000000B90000-0x0000000000F74000-memory.dmp	upx
behavioral2/memory/4636-145-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4636-146-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4636-147-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4636-148-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4636-149-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4636-153-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

RegAsm.exe

pid process

4636 RegAsm.exe
4636 RegAsm.exe
4636 RegAsm.exe
4636 RegAsm.exe

pid	process
4636	RegAsm.exe
4636	RegAsm.exe
4636	RegAsm.exe
4636	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

VAMSKIDH_INVOICE.execasr.exe

description	pid	process	target process
PID 3816 set thread context of 4164	3816	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 3104 set thread context of 4636	3104	casr.exe	RegAsm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4732 4164 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

632 schtasks.exe
368 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeShutdownPrivilege 4636 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

4636 RegAsm.exe
4636 RegAsm.exe

pid	pid_target	process	target process
4732	4164	WerFault.exe	RegAsm.exe

pid	process
632	schtasks.exe
368	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	4636	RegAsm.exe

pid	process
4636	RegAsm.exe
4636	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

VAMSKIDH_INVOICE.execmd.execasr.execmd.exe

description	pid	process	target process
PID 3816 wrote to memory of 1672	3816	VAMSKIDH_INVOICE.exe	cmd.exe
PID 3816 wrote to memory of 1672	3816	VAMSKIDH_INVOICE.exe	cmd.exe
PID 3816 wrote to memory of 1672	3816	VAMSKIDH_INVOICE.exe	cmd.exe
PID 1672 wrote to memory of 632	1672	cmd.exe	schtasks.exe
PID 1672 wrote to memory of 632	1672	cmd.exe	schtasks.exe
PID 1672 wrote to memory of 632	1672	cmd.exe	schtasks.exe
PID 3816 wrote to memory of 4072	3816	VAMSKIDH_INVOICE.exe	cmd.exe
PID 3816 wrote to memory of 4072	3816	VAMSKIDH_INVOICE.exe	cmd.exe
PID 3816 wrote to memory of 4072	3816	VAMSKIDH_INVOICE.exe	cmd.exe
PID 3816 wrote to memory of 4164	3816	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 3816 wrote to memory of 4164	3816	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 3816 wrote to memory of 4164	3816	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 3816 wrote to memory of 4164	3816	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 3816 wrote to memory of 4164	3816	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 3816 wrote to memory of 4164	3816	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 3816 wrote to memory of 4164	3816	VAMSKIDH_INVOICE.exe	RegAsm.exe
PID 3104 wrote to memory of 988	3104	casr.exe	cmd.exe
PID 3104 wrote to memory of 988	3104	casr.exe	cmd.exe
PID 3104 wrote to memory of 988	3104	casr.exe	cmd.exe
PID 988 wrote to memory of 368	988	cmd.exe	schtasks.exe
PID 988 wrote to memory of 368	988	cmd.exe	schtasks.exe
PID 988 wrote to memory of 368	988	cmd.exe	schtasks.exe
PID 3104 wrote to memory of 3724	3104	casr.exe	cmd.exe
PID 3104 wrote to memory of 3724	3104	casr.exe	cmd.exe
PID 3104 wrote to memory of 3724	3104	casr.exe	cmd.exe
PID 3104 wrote to memory of 4636	3104	casr.exe	RegAsm.exe
PID 3104 wrote to memory of 4636	3104	casr.exe	RegAsm.exe
PID 3104 wrote to memory of 4636	3104	casr.exe	RegAsm.exe
PID 3104 wrote to memory of 4636	3104	casr.exe	RegAsm.exe
PID 3104 wrote to memory of 4636	3104	casr.exe	RegAsm.exe
PID 3104 wrote to memory of 4636	3104	casr.exe	RegAsm.exe
PID 3104 wrote to memory of 4636	3104	casr.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\VAMSKIDH_INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\VAMSKIDH_INVOICE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:632

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\VAMSKIDH_INVOICE.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:4072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 540
3⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4164 -ip 4164
1⤵
PID:2844

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\casr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:368

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\casr.exe" "C:\Users\Admin\AppData\Roaming\casr.exe"
2⤵
PID:3724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4636

C:\Users\Admin\AppData\Roaming\casr.exe
C:\Users\Admin\AppData\Roaming\casr.exe
1⤵
- Executes dropped EXE
PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\casr.exe.log
Filesize
520B

MD5
41c37de2b4598f7759f865817dba5f80

SHA1
884ccf344bc2dd409425dc5ace0fd909a5f8cce4

SHA256
427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc

SHA512
a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
200.0MB

MD5
cf46eb85c503955b25cb4b2ab6051357

SHA1
dcfc790d0c190ba754e97d86ee9b9fad6e2ae079

SHA256
a19a136b09c11bb722d6aec359d0cd517a38c87b9f34ec82ed6c4adf6884b41f

SHA512
3ce4f1acddd9a9b0db87b93c8af2b0df21f36b58fb47bb053c5ec1782b7bea7e161016f8bc3ba3388db7511ec146a26ceba894c4032b7e79708a3a5280ddd1b2

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
200.0MB

MD5
cf46eb85c503955b25cb4b2ab6051357

SHA1
dcfc790d0c190ba754e97d86ee9b9fad6e2ae079

SHA256
a19a136b09c11bb722d6aec359d0cd517a38c87b9f34ec82ed6c4adf6884b41f

SHA512
3ce4f1acddd9a9b0db87b93c8af2b0df21f36b58fb47bb053c5ec1782b7bea7e161016f8bc3ba3388db7511ec146a26ceba894c4032b7e79708a3a5280ddd1b2

Download Submit
C:\Users\Admin\AppData\Roaming\casr.exe
Filesize
192.1MB

MD5
260b7e1596877200b1eb97fe86d42a75

SHA1
74835cda5557cc2a65b800b30171bb72f7c5e2e8

SHA256
cb5dc7ae29c04800888f1c9349eed8752d515cd8efcc952bef586adb4a03255c

SHA512
56fad01b3df917ff15e58f7d9d02b1d5033a60899d949fcc92f32d9db65de8634d5511f123c14c20cc44856888c1476ac1a13173d948204d8715616b49d239e5

Download Submit
memory/368-142-0x0000000000000000-mapping.dmp

Download
memory/632-132-0x0000000000000000-mapping.dmp

Download
memory/988-141-0x0000000000000000-mapping.dmp

Download
memory/1672-131-0x0000000000000000-mapping.dmp

Download
memory/3724-143-0x0000000000000000-mapping.dmp

Download
memory/3816-133-0x0000000006030000-0x00000000065D4000-memory.dmp

Filesize
5.6MB

Download
memory/3816-130-0x0000000000A40000-0x0000000000BD4000-memory.dmp

Filesize
1.6MB

Download
memory/4072-134-0x0000000000000000-mapping.dmp

Download
memory/4164-137-0x0000000000B90000-0x0000000000F74000-memory.dmp

Filesize
3.9MB

Download
memory/4164-138-0x0000000000B90000-0x0000000000F74000-memory.dmp

Filesize
3.9MB

Download
memory/4164-135-0x0000000000000000-mapping.dmp

Download
memory/4636-151-0x0000000074E00000-0x0000000074E39000-memory.dmp

Filesize
228KB

Download
memory/4636-147-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4636-148-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4636-149-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4636-144-0x0000000000000000-mapping.dmp

Download
memory/4636-150-0x0000000074A60000-0x0000000074A99000-memory.dmp

Filesize
228KB

Download
memory/4636-152-0x0000000074E00000-0x0000000074E39000-memory.dmp

Filesize
228KB

Download
memory/4636-153-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4636-154-0x0000000074E00000-0x0000000074E39000-memory.dmp

Filesize
228KB

Download
memory/4636-146-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4636-145-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4636-157-0x0000000074B20000-0x0000000074B59000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads