bitrat | c8e1ce5d1216e1e068af5fc38b107b78f32372f69d59b4f1e6a456770ded8744

Analysis

max time kernel
194s
max time network
205s
platform
windows10_x64
resource
win10-20220414-en
submitted
22-06-2022 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fxdgf.exe
Size

1.7MB
MD5

6505bd7c5e3775f45522cead41f38882
SHA1

c13140dc82455007a70c7747b4f6aaee5e549315
SHA256

c8e1ce5d1216e1e068af5fc38b107b78f32372f69d59b4f1e6a456770ded8744
SHA512

96998ce4683585d2913d3526bbdc48180fc373feb6e02320fff948284a4aeea9136886a2a8ffc5574c9b0651f8ce239ec81be717a9ed163f9e2442b70587ec5e

Score

10^/10

bitrat suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata
Executes dropped EXE 2 IoCs

Processes:

fxdgf.exefxdgf.exe

pid process

1820 fxdgf.exe
1172 fxdgf.exe

pid	process
1820	fxdgf.exe
1172	fxdgf.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1560-249-0x0000000000B00000-0x0000000000EE4000-memory.dmp	upx
behavioral2/memory/3008-379-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3008-442-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegAsm.exe

pid process

3008 RegAsm.exe
3008 RegAsm.exe
3008 RegAsm.exe
3008 RegAsm.exe
3008 RegAsm.exe

pid	process
3008	RegAsm.exe
3008	RegAsm.exe
3008	RegAsm.exe
3008	RegAsm.exe
3008	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fxdgf.exefxdgf.exe

description	pid	process	target process
PID 704 set thread context of 1560	704	fxdgf.exe	RegAsm.exe
PID 1820 set thread context of 3008	1820	fxdgf.exe	RegAsm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1040 1560 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3812 schtasks.exe
2240 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeShutdownPrivilege 3008 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

3008 RegAsm.exe
3008 RegAsm.exe

pid	pid_target	process	target process
1040	1560	WerFault.exe	RegAsm.exe

pid	process
3812	schtasks.exe
2240	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	3008	RegAsm.exe

pid	process
3008	RegAsm.exe
3008	RegAsm.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

fxdgf.execmd.exefxdgf.execmd.exe

description	pid	process	target process
PID 704 wrote to memory of 2624	704	fxdgf.exe	cmd.exe
PID 704 wrote to memory of 2624	704	fxdgf.exe	cmd.exe
PID 704 wrote to memory of 2624	704	fxdgf.exe	cmd.exe
PID 2624 wrote to memory of 3812	2624	cmd.exe	schtasks.exe
PID 2624 wrote to memory of 3812	2624	cmd.exe	schtasks.exe
PID 2624 wrote to memory of 3812	2624	cmd.exe	schtasks.exe
PID 704 wrote to memory of 1532	704	fxdgf.exe	cmd.exe
PID 704 wrote to memory of 1532	704	fxdgf.exe	cmd.exe
PID 704 wrote to memory of 1532	704	fxdgf.exe	cmd.exe
PID 704 wrote to memory of 1560	704	fxdgf.exe	RegAsm.exe
PID 704 wrote to memory of 1560	704	fxdgf.exe	RegAsm.exe
PID 704 wrote to memory of 1560	704	fxdgf.exe	RegAsm.exe
PID 704 wrote to memory of 1560	704	fxdgf.exe	RegAsm.exe
PID 704 wrote to memory of 1560	704	fxdgf.exe	RegAsm.exe
PID 704 wrote to memory of 1560	704	fxdgf.exe	RegAsm.exe
PID 704 wrote to memory of 1560	704	fxdgf.exe	RegAsm.exe
PID 1820 wrote to memory of 3924	1820	fxdgf.exe	cmd.exe
PID 1820 wrote to memory of 3924	1820	fxdgf.exe	cmd.exe
PID 1820 wrote to memory of 3924	1820	fxdgf.exe	cmd.exe
PID 3924 wrote to memory of 2240	3924	cmd.exe	schtasks.exe
PID 3924 wrote to memory of 2240	3924	cmd.exe	schtasks.exe
PID 3924 wrote to memory of 2240	3924	cmd.exe	schtasks.exe
PID 1820 wrote to memory of 2704	1820	fxdgf.exe	cmd.exe
PID 1820 wrote to memory of 2704	1820	fxdgf.exe	cmd.exe
PID 1820 wrote to memory of 2704	1820	fxdgf.exe	cmd.exe
PID 1820 wrote to memory of 3008	1820	fxdgf.exe	RegAsm.exe
PID 1820 wrote to memory of 3008	1820	fxdgf.exe	RegAsm.exe
PID 1820 wrote to memory of 3008	1820	fxdgf.exe	RegAsm.exe
PID 1820 wrote to memory of 3008	1820	fxdgf.exe	RegAsm.exe
PID 1820 wrote to memory of 3008	1820	fxdgf.exe	RegAsm.exe
PID 1820 wrote to memory of 3008	1820	fxdgf.exe	RegAsm.exe
PID 1820 wrote to memory of 3008	1820	fxdgf.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\fxdgf.exe
"C:\Users\Admin\AppData\Local\Temp\fxdgf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\fxdgf.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\fxdgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3812

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\fxdgf.exe" "C:\Users\Admin\AppData\Roaming\fxdgf.exe"
2⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 568
3⤵
- Program crash
PID:1040

C:\Users\Admin\AppData\Roaming\fxdgf.exe
C:\Users\Admin\AppData\Roaming\fxdgf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\fxdgf.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\fxdgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2240

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\fxdgf.exe" "C:\Users\Admin\AppData\Roaming\fxdgf.exe"
2⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Users\Admin\AppData\Roaming\fxdgf.exe
C:\Users\Admin\AppData\Roaming\fxdgf.exe
1⤵
- Executes dropped EXE
PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fxdgf.exe.log
Filesize
805B

MD5
4665cf8a9a71b273050bd4636040ee7c

SHA1
3993526de306ba22b6cf07496f391b63dc22d4e5

SHA256
6ac546cb6c1c85c2ff0c8ad1104aeb5b7f484e4b1fbb32eb4806fadcb96de298

SHA512
638c77d55c5e6db0b53728227235027fe572ca1e51f35ce1b047910db336d53139cb691a35a41b37c1614dd816e502c76b8bbf605d9b905b254bddc8dad4377e

Download Submit
C:\Users\Admin\AppData\Roaming\fxdgf.exe
Filesize
1.7MB

MD5
6505bd7c5e3775f45522cead41f38882

SHA1
c13140dc82455007a70c7747b4f6aaee5e549315

SHA256
c8e1ce5d1216e1e068af5fc38b107b78f32372f69d59b4f1e6a456770ded8744

SHA512
96998ce4683585d2913d3526bbdc48180fc373feb6e02320fff948284a4aeea9136886a2a8ffc5574c9b0651f8ce239ec81be717a9ed163f9e2442b70587ec5e

Download Submit
C:\Users\Admin\AppData\Roaming\fxdgf.exe
Filesize
1.7MB

MD5
6505bd7c5e3775f45522cead41f38882

SHA1
c13140dc82455007a70c7747b4f6aaee5e549315

SHA256
c8e1ce5d1216e1e068af5fc38b107b78f32372f69d59b4f1e6a456770ded8744

SHA512
96998ce4683585d2913d3526bbdc48180fc373feb6e02320fff948284a4aeea9136886a2a8ffc5574c9b0651f8ce239ec81be717a9ed163f9e2442b70587ec5e

Download Submit
C:\Users\Admin\AppData\Roaming\fxdgf.exe
Filesize
1.7MB

MD5
6505bd7c5e3775f45522cead41f38882

SHA1
c13140dc82455007a70c7747b4f6aaee5e549315

SHA256
c8e1ce5d1216e1e068af5fc38b107b78f32372f69d59b4f1e6a456770ded8744

SHA512
96998ce4683585d2913d3526bbdc48180fc373feb6e02320fff948284a4aeea9136886a2a8ffc5574c9b0651f8ce239ec81be717a9ed163f9e2442b70587ec5e

Download Submit
memory/704-156-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-118-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-120-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-121-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-122-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-123-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-124-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-125-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-127-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-126-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-128-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-129-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-130-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-131-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-132-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-133-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-134-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-135-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-136-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-137-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-139-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-138-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-140-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-142-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-141-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-144-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-143-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-145-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-146-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-147-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-148-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-150-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-149-0x0000000000220000-0x00000000003CE000-memory.dmp

Filesize
1.7MB

Download
memory/704-151-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-152-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-153-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-154-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-155-0x00000000050B0000-0x00000000055AE000-memory.dmp

Filesize
5.0MB

Download
memory/704-162-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-116-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-119-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-159-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-160-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-161-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-158-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-163-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-164-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-165-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/704-157-0x0000000004C50000-0x0000000004CE2000-memory.dmp

Filesize
584KB

Download
memory/704-117-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/1532-191-0x0000000000000000-mapping.dmp

Download
memory/1560-249-0x0000000000B00000-0x0000000000EE4000-memory.dmp

Filesize
3.9MB

Download
memory/1560-206-0x00000000007E2730-mapping.dmp

Download
memory/2240-308-0x0000000000000000-mapping.dmp

Download
memory/2624-169-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2624-170-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2624-171-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2624-168-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2624-166-0x0000000000000000-mapping.dmp

Download
memory/2624-167-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/2704-327-0x0000000000000000-mapping.dmp

Download
memory/3008-441-0x0000000072C30000-0x0000000072C6A000-memory.dmp

Filesize
232KB

Download
memory/3008-394-0x0000000072CA0000-0x0000000072CDA000-memory.dmp

Filesize
232KB

Download
memory/3008-379-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3008-334-0x00000000007E2730-mapping.dmp

Download
memory/3008-442-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3812-182-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/3812-176-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/3812-181-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/3812-184-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/3812-183-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/3812-179-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/3812-177-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/3812-180-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/3812-175-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/3812-174-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/3812-173-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/3812-172-0x0000000000000000-mapping.dmp

Download
memory/3812-178-0x0000000077600000-0x000000007778E000-memory.dmp

Filesize
1.6MB

Download
memory/3924-302-0x0000000000000000-mapping.dmp

Download