bitrat | cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3

General

Target

cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe
Size

4.2MB
MD5

1ef35e701432e20e684f81c34d23396f
SHA1

db4dbf0702c2830a4fd5f57b5bb61462864c0859
SHA256

cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3
SHA512

5f82b0215846026c32707bcc262616455add416de31aae51b72b025b3642f1854e2e0073324210e0e1d2ba32aee0b4a746ca5d9ef0a245624b7e5c41f12892a7

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.33

C2

173.44.50.137:58881

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/2708-130-0x0000000000C70000-0x00000000010AE000-memory.dmp	net_reactor

Executes dropped EXE 1 IoCs

Processes:

Sljpqqrmrkm.exe

pid process

2512 Sljpqqrmrkm.exe

pid	process
2512	Sljpqqrmrkm.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Sljpqqrmrkm.exe

pid process

2512 Sljpqqrmrkm.exe
2512 Sljpqqrmrkm.exe
2512 Sljpqqrmrkm.exe
2512 Sljpqqrmrkm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3932 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Sljpqqrmrkm.exe

description pid process

Token: SeShutdownPrivilege 2512 Sljpqqrmrkm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Sljpqqrmrkm.exe

pid process

2512 Sljpqqrmrkm.exe
2512 Sljpqqrmrkm.exe

pid	process
2512	Sljpqqrmrkm.exe
2512	Sljpqqrmrkm.exe
2512	Sljpqqrmrkm.exe
2512	Sljpqqrmrkm.exe

pid	process
3932	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	2512	Sljpqqrmrkm.exe

pid	process
2512	Sljpqqrmrkm.exe
2512	Sljpqqrmrkm.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exeSljpqqrmrkm.execmd.exe

description	pid	process	target process
PID 2708 wrote to memory of 2512	2708	cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe	Sljpqqrmrkm.exe
PID 2708 wrote to memory of 2512	2708	cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe	Sljpqqrmrkm.exe
PID 2708 wrote to memory of 2512	2708	cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe	Sljpqqrmrkm.exe
PID 2512 wrote to memory of 3604	2512	Sljpqqrmrkm.exe	cmd.exe
PID 2512 wrote to memory of 3604	2512	Sljpqqrmrkm.exe	cmd.exe
PID 2512 wrote to memory of 3604	2512	Sljpqqrmrkm.exe	cmd.exe
PID 3604 wrote to memory of 3932	3604	cmd.exe	schtasks.exe
PID 3604 wrote to memory of 3932	3604	cmd.exe	schtasks.exe
PID 3604 wrote to memory of 3932	3604	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe
"C:\Users\Admin\AppData\Local\Temp\cf14757dc91f0f0999a68ed6def88d06da7b2ad659ab618cee7728ab9caae6c3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe
"C:\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN BitBuild.exe /XML "C:\Users\Admin\AppData\Local\Temp\29d310674f82412e9cef9c078896a87e.xml"
3⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN BitBuild.exe /XML "C:\Users\Admin\AppData\Local\Temp\29d310674f82412e9cef9c078896a87e.xml"
4⤵
- Creates scheduled task(s)
PID:3932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29d310674f82412e9cef9c078896a87e.xml
Filesize
1KB

MD5
3d7f4a3d816f770bda7ab0e51be67e9e

SHA1
1ea0d373fdf2271d124a94646eff0c22198f4ee2

SHA256
9486e9fa3b89daf721b9bb0024c428f9c289bd2487cee6e005b91f93487eff88

SHA512
f347d0b92bdb9f7156e207bc022841b4c2e595c9eb4136f0e7f01c075a46906d745c25c228a87d4a39ec7c9f33c3fb213a061024e94099a92acb858543dcddd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe
Filesize
3.9MB

MD5
07aa71fa31e15543e9708c499f28c56a

SHA1
065ba94095d063ec5d77d6ee020c5cf6f4595502

SHA256
036ad0ba21ca4e5d292e9dd302d0498ffd85bb969a8f398405c14b490148d4b9

SHA512
f21d4708566c87d401647cf047dc3edfffa142f1ff27e6628146a905a0d6118b78034b18979d7312d1f6182e44834fc302582a21f3bba98cdeeb450d9c64bb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sljpqqrmrkm.exe
Filesize
3.9MB

MD5
07aa71fa31e15543e9708c499f28c56a

SHA1
065ba94095d063ec5d77d6ee020c5cf6f4595502

SHA256
036ad0ba21ca4e5d292e9dd302d0498ffd85bb969a8f398405c14b490148d4b9

SHA512
f21d4708566c87d401647cf047dc3edfffa142f1ff27e6628146a905a0d6118b78034b18979d7312d1f6182e44834fc302582a21f3bba98cdeeb450d9c64bb7f

Download Submit
memory/2512-142-0x00000000751B0000-0x00000000751E9000-memory.dmp

Filesize
228KB

Download
memory/2512-143-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2512-147-0x00000000751B0000-0x00000000751E9000-memory.dmp

Filesize
228KB

Download
memory/2512-136-0x000000000113B000-0x0000000001140000-memory.dmp

Filesize
20KB

Download
memory/2512-146-0x0000000074E10000-0x0000000074E49000-memory.dmp

Filesize
228KB

Download
memory/2512-145-0x00000000751B0000-0x00000000751E9000-memory.dmp

Filesize
228KB

Download
memory/2512-144-0x00000000751B0000-0x00000000751E9000-memory.dmp

Filesize
228KB

Download
memory/2512-140-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2512-141-0x0000000074E10000-0x0000000074E49000-memory.dmp

Filesize
228KB

Download
memory/2512-132-0x0000000000000000-mapping.dmp

Download
memory/2708-130-0x0000000000C70000-0x00000000010AE000-memory.dmp

Filesize
4.2MB

Download
memory/2708-131-0x00007FF9AD4E0000-0x00007FF9ADFA1000-memory.dmp

Filesize
10.8MB

Download
memory/2708-135-0x00007FF9AD4E0000-0x00007FF9ADFA1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-137-0x0000000000000000-mapping.dmp

Download
memory/3932-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads