bitrat | 68599aed1a59ea181bd317a0ac5ec38b57c2537c4ef3ef606708576bf87036c7

General

Target

vnhgf.exe
Size

300.0MB
MD5

a5335343971e56e6ff268dcfe8774ae9
SHA1

25c8a25b5c1dd7913e4447dd15056afd52d95c4a
SHA256

1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734
SHA512

8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9400.duckdns.org:9400

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 4 IoCs

Processes:

hggfyu.exehggfyu.exehggfyu.exehggfyu.exe

pid process

776 hggfyu.exe
1076 hggfyu.exe
296 hggfyu.exe
1692 hggfyu.exe

pid	process
776	hggfyu.exe
1076	hggfyu.exe
296	hggfyu.exe
1692	hggfyu.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2008-58-0x00000000004E0000-0x00000000008C4000-memory.dmp	upx
behavioral1/memory/2008-62-0x00000000004E0000-0x00000000008C4000-memory.dmp	upx
behavioral1/memory/2008-63-0x00000000004E0000-0x00000000008C4000-memory.dmp	upx
behavioral1/memory/2008-66-0x00000000004E0000-0x00000000008C4000-memory.dmp	upx
behavioral1/memory/2008-74-0x00000000004E0000-0x00000000008C4000-memory.dmp	upx
behavioral1/memory/1076-76-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1076-79-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1076-82-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1076-83-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1076-84-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1076-87-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1076-91-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

vnhgf.exehggfyu.exehggfyu.exe

pid process

2008 vnhgf.exe
2008 vnhgf.exe
2008 vnhgf.exe
2008 vnhgf.exe
1076 hggfyu.exe
1692 hggfyu.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

vnhgf.exehggfyu.exe

description pid process target process

PID 920 set thread context of 2008 920 vnhgf.exe vnhgf.exe
PID 776 set thread context of 1076 776 hggfyu.exe hggfyu.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1960 schtasks.exe
988 schtasks.exe
1772 schtasks.exe

pid	process
2008	vnhgf.exe
2008	vnhgf.exe
2008	vnhgf.exe
2008	vnhgf.exe
1076	hggfyu.exe
1692	hggfyu.exe

description	pid	process	target process
PID 920 set thread context of 2008	920	vnhgf.exe	vnhgf.exe
PID 776 set thread context of 1076	776	hggfyu.exe	hggfyu.exe

pid	process
1960	schtasks.exe
988	schtasks.exe
1772	schtasks.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

vnhgf.exevnhgf.exehggfyu.exehggfyu.exehggfyu.exe

description	pid	process
Token: SeDebugPrivilege	920	vnhgf.exe
Token: SeDebugPrivilege	2008	vnhgf.exe
Token: SeShutdownPrivilege	2008	vnhgf.exe
Token: SeDebugPrivilege	776	hggfyu.exe
Token: SeDebugPrivilege	1076	hggfyu.exe
Token: SeShutdownPrivilege	1076	hggfyu.exe
Token: SeDebugPrivilege	1692	hggfyu.exe
Token: SeShutdownPrivilege	1692	hggfyu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vnhgf.exe

pid process

2008 vnhgf.exe
2008 vnhgf.exe

pid	process
2008	vnhgf.exe
2008	vnhgf.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

vnhgf.execmd.exetaskeng.exehggfyu.execmd.execmd.exe

description	pid	process	target process
PID 920 wrote to memory of 2008	920	vnhgf.exe	vnhgf.exe
PID 920 wrote to memory of 2008	920	vnhgf.exe	vnhgf.exe
PID 920 wrote to memory of 2008	920	vnhgf.exe	vnhgf.exe
PID 920 wrote to memory of 2008	920	vnhgf.exe	vnhgf.exe
PID 920 wrote to memory of 2008	920	vnhgf.exe	vnhgf.exe
PID 920 wrote to memory of 2008	920	vnhgf.exe	vnhgf.exe
PID 920 wrote to memory of 2008	920	vnhgf.exe	vnhgf.exe
PID 920 wrote to memory of 2008	920	vnhgf.exe	vnhgf.exe
PID 920 wrote to memory of 2000	920	vnhgf.exe	cmd.exe
PID 920 wrote to memory of 2000	920	vnhgf.exe	cmd.exe
PID 920 wrote to memory of 2000	920	vnhgf.exe	cmd.exe
PID 920 wrote to memory of 2000	920	vnhgf.exe	cmd.exe
PID 2000 wrote to memory of 1960	2000	cmd.exe	schtasks.exe
PID 2000 wrote to memory of 1960	2000	cmd.exe	schtasks.exe
PID 2000 wrote to memory of 1960	2000	cmd.exe	schtasks.exe
PID 2000 wrote to memory of 1960	2000	cmd.exe	schtasks.exe
PID 920 wrote to memory of 884	920	vnhgf.exe	cmd.exe
PID 920 wrote to memory of 884	920	vnhgf.exe	cmd.exe
PID 920 wrote to memory of 884	920	vnhgf.exe	cmd.exe
PID 920 wrote to memory of 884	920	vnhgf.exe	cmd.exe
PID 828 wrote to memory of 776	828	taskeng.exe	hggfyu.exe
PID 828 wrote to memory of 776	828	taskeng.exe	hggfyu.exe
PID 828 wrote to memory of 776	828	taskeng.exe	hggfyu.exe
PID 828 wrote to memory of 776	828	taskeng.exe	hggfyu.exe
PID 776 wrote to memory of 1076	776	hggfyu.exe	hggfyu.exe
PID 776 wrote to memory of 1076	776	hggfyu.exe	hggfyu.exe
PID 776 wrote to memory of 1076	776	hggfyu.exe	hggfyu.exe
PID 776 wrote to memory of 1076	776	hggfyu.exe	hggfyu.exe
PID 776 wrote to memory of 1076	776	hggfyu.exe	hggfyu.exe
PID 776 wrote to memory of 1076	776	hggfyu.exe	hggfyu.exe
PID 776 wrote to memory of 1076	776	hggfyu.exe	hggfyu.exe
PID 776 wrote to memory of 1076	776	hggfyu.exe	hggfyu.exe
PID 776 wrote to memory of 888	776	hggfyu.exe	cmd.exe
PID 776 wrote to memory of 888	776	hggfyu.exe	cmd.exe
PID 776 wrote to memory of 888	776	hggfyu.exe	cmd.exe
PID 776 wrote to memory of 888	776	hggfyu.exe	cmd.exe
PID 888 wrote to memory of 988	888	cmd.exe	schtasks.exe
PID 888 wrote to memory of 988	888	cmd.exe	schtasks.exe
PID 888 wrote to memory of 988	888	cmd.exe	schtasks.exe
PID 888 wrote to memory of 988	888	cmd.exe	schtasks.exe
PID 776 wrote to memory of 1036	776	hggfyu.exe	cmd.exe
PID 776 wrote to memory of 1036	776	hggfyu.exe	cmd.exe
PID 776 wrote to memory of 1036	776	hggfyu.exe	cmd.exe
PID 776 wrote to memory of 1036	776	hggfyu.exe	cmd.exe
PID 828 wrote to memory of 296	828	taskeng.exe	hggfyu.exe
PID 828 wrote to memory of 296	828	taskeng.exe	hggfyu.exe
PID 828 wrote to memory of 296	828	taskeng.exe	hggfyu.exe
PID 828 wrote to memory of 296	828	taskeng.exe	hggfyu.exe
PID 2012 wrote to memory of 1772	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1772	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1772	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1772	2012	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\vnhgf.exe
"C:\Users\Admin\AppData\Local\Temp\vnhgf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\Temp\vnhgf.exe
"C:\Users\Admin\AppData\Local\Temp\vnhgf.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1960

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\vnhgf.exe" "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
2⤵
PID:884

C:\Windows\system32\taskeng.exe
taskeng.exe {D738B88D-6DAB-4EE8-9410-281464E57B88} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
"C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:988

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe" "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
3⤵
PID:1036

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
2⤵
- Executes dropped EXE
PID:296

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
"C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1772

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe" "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
3⤵
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
173.2MB

MD5
8d6824824615a4f70585a45c44794db2

SHA1
030466ae37b4cee3f0ee65148e78559031e93a57

SHA256
19acf326864e99c62504c0c3e8aaeaa76df654f3def0f20db4052dc38d0f08de

SHA512
c4ae1fec99a9c1810abe37646ed32c606131e6b542748bc053fd95ffa559333ebb360fd2e5bd7bee87e0bee215d7c02b8df2d96f641574402ae8cef7f655a832

Download Submit
memory/296-92-0x0000000000000000-mapping.dmp

Download
memory/776-71-0x0000000000000000-mapping.dmp

Download
memory/776-73-0x00000000008F0000-0x0000000000AB2000-memory.dmp

Filesize
1.8MB

Download
memory/884-69-0x0000000000000000-mapping.dmp

Download
memory/888-86-0x0000000000000000-mapping.dmp

Download
memory/920-61-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/920-54-0x0000000000310000-0x00000000004D2000-memory.dmp

Filesize
1.8MB

Download
memory/988-89-0x0000000000000000-mapping.dmp

Download
memory/1036-90-0x0000000000000000-mapping.dmp

Download
memory/1076-75-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1076-84-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1076-91-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1076-76-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1076-79-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1076-82-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1076-83-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1076-87-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1076-80-0x00000000007E2740-mapping.dmp

Download
memory/1772-96-0x0000000000000000-mapping.dmp

Download
memory/1960-68-0x0000000000000000-mapping.dmp

Download
memory/2000-65-0x0000000000000000-mapping.dmp

Download
memory/2008-74-0x00000000004E0000-0x00000000008C4000-memory.dmp

Filesize
3.9MB

Download
memory/2008-66-0x00000000004E0000-0x00000000008C4000-memory.dmp

Filesize
3.9MB

Download
memory/2008-63-0x00000000004E0000-0x00000000008C4000-memory.dmp

Filesize
3.9MB

Download
memory/2008-62-0x00000000004E0000-0x00000000008C4000-memory.dmp

Filesize
3.9MB

Download
memory/2008-60-0x00000000007E2740-mapping.dmp

Download
memory/2008-58-0x00000000004E0000-0x00000000008C4000-memory.dmp

Filesize
3.9MB

Download
memory/2008-56-0x0000000000752000-0x00000000008C3000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads