bitrat | c8e1ce5d1216e1e068af5fc38b107b78f32372f69d59b4f1e6a456770ded8744

Analysis

max time kernel
172s
max time network
184s
platform
windows10_x64
resource
win10-20220414-en
submitted
22-06-2022 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fxdgf.exe
Size

1.7MB
MD5

6505bd7c5e3775f45522cead41f38882
SHA1

c13140dc82455007a70c7747b4f6aaee5e549315
SHA256

c8e1ce5d1216e1e068af5fc38b107b78f32372f69d59b4f1e6a456770ded8744
SHA512

96998ce4683585d2913d3526bbdc48180fc373feb6e02320fff948284a4aeea9136886a2a8ffc5574c9b0651f8ce239ec81be717a9ed163f9e2442b70587ec5e

Score

10^/10

bitrat suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata
Executes dropped EXE 2 IoCs

Processes:

fxdgf.exefxdgf.exe

pid process

3628 fxdgf.exe
2960 fxdgf.exe

pid	process
3628	fxdgf.exe
2960	fxdgf.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3524-248-0x0000000000970000-0x0000000000D54000-memory.dmp	upx
behavioral2/memory/2016-378-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2016-441-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

RegAsm.exeRegAsm.exe

pid process

2016 RegAsm.exe
2016 RegAsm.exe
2016 RegAsm.exe
2016 RegAsm.exe
2016 RegAsm.exe
4176 RegAsm.exe

pid	process
2016	RegAsm.exe
2016	RegAsm.exe
2016	RegAsm.exe
2016	RegAsm.exe
2016	RegAsm.exe
4176	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

fxdgf.exefxdgf.exe

description	pid	process	target process
PID 4468 set thread context of 3524	4468	fxdgf.exe	RegAsm.exe
PID 3628 set thread context of 2016	3628	fxdgf.exe	RegAsm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3700 3524 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4056 schtasks.exe
388 schtasks.exe
4716 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exeRegAsm.exe

description pid process

Token: SeShutdownPrivilege 2016 RegAsm.exe
Token: SeShutdownPrivilege 4176 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

2016 RegAsm.exe
2016 RegAsm.exe

pid	pid_target	process	target process
3700	3524	WerFault.exe	RegAsm.exe

pid	process
4056	schtasks.exe
388	schtasks.exe
4716	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	2016	RegAsm.exe
Token: SeShutdownPrivilege	4176	RegAsm.exe

pid	process
2016	RegAsm.exe
2016	RegAsm.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

fxdgf.execmd.exefxdgf.execmd.execmd.exe

description	pid	process	target process
PID 4468 wrote to memory of 3848	4468	fxdgf.exe	cmd.exe
PID 4468 wrote to memory of 3848	4468	fxdgf.exe	cmd.exe
PID 4468 wrote to memory of 3848	4468	fxdgf.exe	cmd.exe
PID 3848 wrote to memory of 4056	3848	cmd.exe	schtasks.exe
PID 3848 wrote to memory of 4056	3848	cmd.exe	schtasks.exe
PID 3848 wrote to memory of 4056	3848	cmd.exe	schtasks.exe
PID 4468 wrote to memory of 392	4468	fxdgf.exe	cmd.exe
PID 4468 wrote to memory of 392	4468	fxdgf.exe	cmd.exe
PID 4468 wrote to memory of 392	4468	fxdgf.exe	cmd.exe
PID 4468 wrote to memory of 3524	4468	fxdgf.exe	RegAsm.exe
PID 4468 wrote to memory of 3524	4468	fxdgf.exe	RegAsm.exe
PID 4468 wrote to memory of 3524	4468	fxdgf.exe	RegAsm.exe
PID 4468 wrote to memory of 3524	4468	fxdgf.exe	RegAsm.exe
PID 4468 wrote to memory of 3524	4468	fxdgf.exe	RegAsm.exe
PID 4468 wrote to memory of 3524	4468	fxdgf.exe	RegAsm.exe
PID 4468 wrote to memory of 3524	4468	fxdgf.exe	RegAsm.exe
PID 3628 wrote to memory of 4312	3628	fxdgf.exe	cmd.exe
PID 3628 wrote to memory of 4312	3628	fxdgf.exe	cmd.exe
PID 3628 wrote to memory of 4312	3628	fxdgf.exe	cmd.exe
PID 4312 wrote to memory of 388	4312	cmd.exe	schtasks.exe
PID 4312 wrote to memory of 388	4312	cmd.exe	schtasks.exe
PID 4312 wrote to memory of 388	4312	cmd.exe	schtasks.exe
PID 3628 wrote to memory of 1388	3628	fxdgf.exe	cmd.exe
PID 3628 wrote to memory of 1388	3628	fxdgf.exe	cmd.exe
PID 3628 wrote to memory of 1388	3628	fxdgf.exe	cmd.exe
PID 3628 wrote to memory of 2016	3628	fxdgf.exe	RegAsm.exe
PID 3628 wrote to memory of 2016	3628	fxdgf.exe	RegAsm.exe
PID 3628 wrote to memory of 2016	3628	fxdgf.exe	RegAsm.exe
PID 3628 wrote to memory of 2016	3628	fxdgf.exe	RegAsm.exe
PID 3628 wrote to memory of 2016	3628	fxdgf.exe	RegAsm.exe
PID 3628 wrote to memory of 2016	3628	fxdgf.exe	RegAsm.exe
PID 3628 wrote to memory of 2016	3628	fxdgf.exe	RegAsm.exe
PID 4456 wrote to memory of 4716	4456	cmd.exe	schtasks.exe
PID 4456 wrote to memory of 4716	4456	cmd.exe	schtasks.exe
PID 4456 wrote to memory of 4716	4456	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\fxdgf.exe
"C:\Users\Admin\AppData\Local\Temp\fxdgf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\fxdgf.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\fxdgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4056

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\fxdgf.exe" "C:\Users\Admin\AppData\Roaming\fxdgf.exe"
2⤵
PID:392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 568
3⤵
- Program crash
PID:3700

C:\Users\Admin\AppData\Roaming\fxdgf.exe
C:\Users\Admin\AppData\Roaming\fxdgf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\fxdgf.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\fxdgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:388

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\fxdgf.exe" "C:\Users\Admin\AppData\Roaming\fxdgf.exe"
2⤵
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Users\Admin\AppData\Roaming\fxdgf.exe
C:\Users\Admin\AppData\Roaming\fxdgf.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\fxdgf.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\fxdgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4716

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\fxdgf.exe" "C:\Users\Admin\AppData\Roaming\fxdgf.exe"
2⤵
PID:4836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fxdgf.exe.log
Filesize
805B

MD5
4665cf8a9a71b273050bd4636040ee7c

SHA1
3993526de306ba22b6cf07496f391b63dc22d4e5

SHA256
6ac546cb6c1c85c2ff0c8ad1104aeb5b7f484e4b1fbb32eb4806fadcb96de298

SHA512
638c77d55c5e6db0b53728227235027fe572ca1e51f35ce1b047910db336d53139cb691a35a41b37c1614dd816e502c76b8bbf605d9b905b254bddc8dad4377e

Download Submit
C:\Users\Admin\AppData\Roaming\fxdgf.exe
Filesize
1.7MB

MD5
6505bd7c5e3775f45522cead41f38882

SHA1
c13140dc82455007a70c7747b4f6aaee5e549315

SHA256
c8e1ce5d1216e1e068af5fc38b107b78f32372f69d59b4f1e6a456770ded8744

SHA512
96998ce4683585d2913d3526bbdc48180fc373feb6e02320fff948284a4aeea9136886a2a8ffc5574c9b0651f8ce239ec81be717a9ed163f9e2442b70587ec5e

Download Submit
C:\Users\Admin\AppData\Roaming\fxdgf.exe
Filesize
1.7MB

MD5
6505bd7c5e3775f45522cead41f38882

SHA1
c13140dc82455007a70c7747b4f6aaee5e549315

SHA256
c8e1ce5d1216e1e068af5fc38b107b78f32372f69d59b4f1e6a456770ded8744

SHA512
96998ce4683585d2913d3526bbdc48180fc373feb6e02320fff948284a4aeea9136886a2a8ffc5574c9b0651f8ce239ec81be717a9ed163f9e2442b70587ec5e

Download Submit
C:\Users\Admin\AppData\Roaming\fxdgf.exe
Filesize
1.7MB

MD5
6505bd7c5e3775f45522cead41f38882

SHA1
c13140dc82455007a70c7747b4f6aaee5e549315

SHA256
c8e1ce5d1216e1e068af5fc38b107b78f32372f69d59b4f1e6a456770ded8744

SHA512
96998ce4683585d2913d3526bbdc48180fc373feb6e02320fff948284a4aeea9136886a2a8ffc5574c9b0651f8ce239ec81be717a9ed163f9e2442b70587ec5e

Download Submit
memory/388-307-0x0000000000000000-mapping.dmp

Download
memory/392-190-0x0000000000000000-mapping.dmp

Download
memory/1388-326-0x0000000000000000-mapping.dmp

Download
memory/2016-378-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2016-333-0x00000000007E2730-mapping.dmp

Download
memory/2016-405-0x00000000737C0000-0x00000000737FA000-memory.dmp

Filesize
232KB

Download
memory/2016-440-0x0000000073000000-0x000000007303A000-memory.dmp

Filesize
232KB

Download
memory/2016-441-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3524-205-0x00000000007E2730-mapping.dmp

Download
memory/3524-248-0x0000000000970000-0x0000000000D54000-memory.dmp

Filesize
3.9MB

Download
memory/3848-166-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/3848-170-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/3848-165-0x0000000000000000-mapping.dmp

Download
memory/3848-167-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/3848-168-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/3848-169-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4056-182-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4056-178-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4056-177-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4056-176-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4056-174-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4056-175-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4056-173-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4056-172-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4056-171-0x0000000000000000-mapping.dmp

Download
memory/4056-179-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4056-180-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4056-181-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4056-183-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4312-301-0x0000000000000000-mapping.dmp

Download
memory/4468-136-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-140-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-150-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-153-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-152-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-154-0x0000000004F50000-0x000000000544E000-memory.dmp

Filesize
5.0MB

Download
memory/4468-155-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-156-0x0000000004B30000-0x0000000004BC2000-memory.dmp

Filesize
584KB

Download
memory/4468-159-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-158-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-157-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-160-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-162-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-161-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-163-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-164-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-148-0x0000000000150000-0x00000000002FE000-memory.dmp

Filesize
1.7MB

Download
memory/4468-149-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-147-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-146-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-145-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-144-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-143-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-142-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-141-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-151-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-139-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-138-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-137-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-115-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-135-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-134-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-133-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-132-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-131-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-130-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-129-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-128-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-127-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-126-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-124-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-125-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-123-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-121-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-122-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-120-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-119-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-118-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-117-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4468-116-0x0000000077750000-0x00000000778DE000-memory.dmp

Filesize
1.6MB

Download
memory/4716-448-0x0000000000000000-mapping.dmp

Download