bitrat | 68599aed1a59ea181bd317a0ac5ec38b57c2537c4ef3ef606708576bf87036c7

General

Target

vnhgf.exe
Size

300.0MB
MD5

a5335343971e56e6ff268dcfe8774ae9
SHA1

25c8a25b5c1dd7913e4447dd15056afd52d95c4a
SHA256

1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734
SHA512

8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9400.duckdns.org:9400

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 4 IoCs

Processes:

hggfyu.exehggfyu.exehggfyu.exehggfyu.exe

pid process

524 hggfyu.exe
844 hggfyu.exe
1656 hggfyu.exe
1424 hggfyu.exe

pid	process
524	hggfyu.exe
844	hggfyu.exe
1656	hggfyu.exe
1424	hggfyu.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2020-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2020-58-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2020-59-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2020-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2020-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2020-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2020-68-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2020-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/844-88-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/844-91-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1424-104-0x00000000006A0000-0x0000000000A84000-memory.dmp	upx
behavioral1/memory/1424-105-0x00000000006A0000-0x0000000000A84000-memory.dmp	upx
behavioral1/memory/1424-108-0x00000000006A0000-0x0000000000A84000-memory.dmp	upx
behavioral1/memory/1424-111-0x00000000006A0000-0x0000000000A84000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

vnhgf.exehggfyu.exehggfyu.exe

pid process

2020 vnhgf.exe
2020 vnhgf.exe
2020 vnhgf.exe
2020 vnhgf.exe
844 hggfyu.exe
1424 hggfyu.exe

pid	process
2020	vnhgf.exe
2020	vnhgf.exe
2020	vnhgf.exe
2020	vnhgf.exe
844	hggfyu.exe
1424	hggfyu.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vnhgf.exehggfyu.exehggfyu.exe

description	pid	process	target process
PID 388 set thread context of 2020	388	vnhgf.exe	vnhgf.exe
PID 524 set thread context of 844	524	hggfyu.exe	hggfyu.exe
PID 1656 set thread context of 1424	1656	hggfyu.exe	hggfyu.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

904 schtasks.exe
1924 schtasks.exe
2004 schtasks.exe
NTFS ADS 1 IoCs

Processes:

vnhgf.exe

description ioc process

File created C:\Users\Admin\AppData\Local:27-06-2022 vnhgf.exe

pid	process
904	schtasks.exe
1924	schtasks.exe
2004	schtasks.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local:27-06-2022	vnhgf.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

vnhgf.exevnhgf.exehggfyu.exehggfyu.exehggfyu.exehggfyu.exe

description	pid	process
Token: SeDebugPrivilege	388	vnhgf.exe
Token: SeDebugPrivilege	2020	vnhgf.exe
Token: SeShutdownPrivilege	2020	vnhgf.exe
Token: SeDebugPrivilege	524	hggfyu.exe
Token: SeDebugPrivilege	844	hggfyu.exe
Token: SeShutdownPrivilege	844	hggfyu.exe
Token: SeDebugPrivilege	1656	hggfyu.exe
Token: SeDebugPrivilege	1424	hggfyu.exe
Token: SeShutdownPrivilege	1424	hggfyu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vnhgf.exe

pid process

2020 vnhgf.exe
2020 vnhgf.exe

pid	process
2020	vnhgf.exe
2020	vnhgf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

vnhgf.execmd.exetaskeng.exehggfyu.execmd.exehggfyu.execmd.exe

description	pid	process	target process
PID 388 wrote to memory of 2020	388	vnhgf.exe	vnhgf.exe
PID 388 wrote to memory of 2020	388	vnhgf.exe	vnhgf.exe
PID 388 wrote to memory of 2020	388	vnhgf.exe	vnhgf.exe
PID 388 wrote to memory of 2020	388	vnhgf.exe	vnhgf.exe
PID 388 wrote to memory of 2020	388	vnhgf.exe	vnhgf.exe
PID 388 wrote to memory of 2020	388	vnhgf.exe	vnhgf.exe
PID 388 wrote to memory of 2020	388	vnhgf.exe	vnhgf.exe
PID 388 wrote to memory of 2020	388	vnhgf.exe	vnhgf.exe
PID 388 wrote to memory of 1968	388	vnhgf.exe	cmd.exe
PID 388 wrote to memory of 1968	388	vnhgf.exe	cmd.exe
PID 388 wrote to memory of 1968	388	vnhgf.exe	cmd.exe
PID 388 wrote to memory of 1968	388	vnhgf.exe	cmd.exe
PID 1968 wrote to memory of 904	1968	cmd.exe	schtasks.exe
PID 1968 wrote to memory of 904	1968	cmd.exe	schtasks.exe
PID 1968 wrote to memory of 904	1968	cmd.exe	schtasks.exe
PID 1968 wrote to memory of 904	1968	cmd.exe	schtasks.exe
PID 388 wrote to memory of 1328	388	vnhgf.exe	cmd.exe
PID 388 wrote to memory of 1328	388	vnhgf.exe	cmd.exe
PID 388 wrote to memory of 1328	388	vnhgf.exe	cmd.exe
PID 388 wrote to memory of 1328	388	vnhgf.exe	cmd.exe
PID 684 wrote to memory of 524	684	taskeng.exe	hggfyu.exe
PID 684 wrote to memory of 524	684	taskeng.exe	hggfyu.exe
PID 684 wrote to memory of 524	684	taskeng.exe	hggfyu.exe
PID 684 wrote to memory of 524	684	taskeng.exe	hggfyu.exe
PID 524 wrote to memory of 844	524	hggfyu.exe	hggfyu.exe
PID 524 wrote to memory of 844	524	hggfyu.exe	hggfyu.exe
PID 524 wrote to memory of 844	524	hggfyu.exe	hggfyu.exe
PID 524 wrote to memory of 844	524	hggfyu.exe	hggfyu.exe
PID 524 wrote to memory of 844	524	hggfyu.exe	hggfyu.exe
PID 524 wrote to memory of 844	524	hggfyu.exe	hggfyu.exe
PID 524 wrote to memory of 844	524	hggfyu.exe	hggfyu.exe
PID 524 wrote to memory of 844	524	hggfyu.exe	hggfyu.exe
PID 524 wrote to memory of 1884	524	hggfyu.exe	cmd.exe
PID 524 wrote to memory of 1884	524	hggfyu.exe	cmd.exe
PID 524 wrote to memory of 1884	524	hggfyu.exe	cmd.exe
PID 524 wrote to memory of 1884	524	hggfyu.exe	cmd.exe
PID 1884 wrote to memory of 1924	1884	cmd.exe	schtasks.exe
PID 1884 wrote to memory of 1924	1884	cmd.exe	schtasks.exe
PID 1884 wrote to memory of 1924	1884	cmd.exe	schtasks.exe
PID 1884 wrote to memory of 1924	1884	cmd.exe	schtasks.exe
PID 524 wrote to memory of 304	524	hggfyu.exe	cmd.exe
PID 524 wrote to memory of 304	524	hggfyu.exe	cmd.exe
PID 524 wrote to memory of 304	524	hggfyu.exe	cmd.exe
PID 524 wrote to memory of 304	524	hggfyu.exe	cmd.exe
PID 684 wrote to memory of 1656	684	taskeng.exe	hggfyu.exe
PID 684 wrote to memory of 1656	684	taskeng.exe	hggfyu.exe
PID 684 wrote to memory of 1656	684	taskeng.exe	hggfyu.exe
PID 684 wrote to memory of 1656	684	taskeng.exe	hggfyu.exe
PID 1656 wrote to memory of 1424	1656	hggfyu.exe	hggfyu.exe
PID 1656 wrote to memory of 1424	1656	hggfyu.exe	hggfyu.exe
PID 1656 wrote to memory of 1424	1656	hggfyu.exe	hggfyu.exe
PID 1656 wrote to memory of 1424	1656	hggfyu.exe	hggfyu.exe
PID 1656 wrote to memory of 1424	1656	hggfyu.exe	hggfyu.exe
PID 1656 wrote to memory of 1424	1656	hggfyu.exe	hggfyu.exe
PID 1656 wrote to memory of 1424	1656	hggfyu.exe	hggfyu.exe
PID 1656 wrote to memory of 1424	1656	hggfyu.exe	hggfyu.exe
PID 1656 wrote to memory of 1328	1656	hggfyu.exe	cmd.exe
PID 1656 wrote to memory of 1328	1656	hggfyu.exe	cmd.exe
PID 1656 wrote to memory of 1328	1656	hggfyu.exe	cmd.exe
PID 1656 wrote to memory of 1328	1656	hggfyu.exe	cmd.exe
PID 1328 wrote to memory of 2004	1328	cmd.exe	schtasks.exe
PID 1328 wrote to memory of 2004	1328	cmd.exe	schtasks.exe
PID 1328 wrote to memory of 2004	1328	cmd.exe	schtasks.exe
PID 1328 wrote to memory of 2004	1328	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\vnhgf.exe
"C:\Users\Admin\AppData\Local\Temp\vnhgf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\vnhgf.exe
"C:\Users\Admin\AppData\Local\Temp\vnhgf.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:904

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\vnhgf.exe" "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
2⤵
PID:1328

C:\Windows\system32\taskeng.exe
taskeng.exe {9F2F2D6C-0DDF-4398-88AE-4A9AD0C1CE26} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
"C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1924

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe" "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
3⤵
PID:304

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
"C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:2004

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe" "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
3⤵
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
138.8MB

MD5
8c0e0951bbad0142ab0da893f268a1b0

SHA1
db741892e719af61083c5c76c6b6c8b76b531c65

SHA256
58b14ba021c120f49045695e0e8c6230e225902ad78ef870bbba27541296b76e

SHA512
598ddd9150cace0064257872d68e55fafae5d15896ea19054ec7671a40eea53cba0780b86fb2df0bd15d051f404b3775abe8955fbdcc06e9fc4a882bbc710a49

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
memory/304-90-0x0000000000000000-mapping.dmp

Download
memory/388-54-0x0000000000CE0000-0x0000000000EA2000-memory.dmp

Filesize
1.8MB

Download
memory/388-61-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/524-72-0x0000000000000000-mapping.dmp

Download
memory/524-74-0x0000000000E70000-0x0000000001032000-memory.dmp

Filesize
1.8MB

Download
memory/688-110-0x0000000000000000-mapping.dmp

Download
memory/844-88-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/844-91-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/844-80-0x00000000007E2740-mapping.dmp

Download
memory/904-67-0x0000000000000000-mapping.dmp

Download
memory/1328-103-0x0000000000000000-mapping.dmp

Download
memory/1328-69-0x0000000000000000-mapping.dmp

Download
memory/1424-105-0x00000000006A0000-0x0000000000A84000-memory.dmp

Filesize
3.9MB

Download
memory/1424-108-0x00000000006A0000-0x0000000000A84000-memory.dmp

Filesize
3.9MB

Download
memory/1424-104-0x00000000006A0000-0x0000000000A84000-memory.dmp

Filesize
3.9MB

Download
memory/1424-100-0x00000000007E2740-mapping.dmp

Download
memory/1424-111-0x00000000006A0000-0x0000000000A84000-memory.dmp

Filesize
3.9MB

Download
memory/1656-92-0x0000000000000000-mapping.dmp

Download
memory/1656-94-0x00000000003D0000-0x0000000000592000-memory.dmp

Filesize
1.8MB

Download
memory/1884-86-0x0000000000000000-mapping.dmp

Download
memory/1924-89-0x0000000000000000-mapping.dmp

Download
memory/1968-64-0x0000000000000000-mapping.dmp

Download
memory/2004-109-0x0000000000000000-mapping.dmp

Download
memory/2020-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2020-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2020-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2020-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2020-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2020-60-0x00000000007E2740-mapping.dmp

Download
memory/2020-58-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2020-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2020-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2020-55-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads