bitrat | 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5

General

Target

6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
Size

3.7MB
MD5

a202bac1697b6255bf5bfdf0cce9aaa6
SHA1

fe0327a7a122a1086ed8cfc288e9c6716affbf69
SHA256

6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5
SHA512

5f553747bc52a8b5e55d146f9731ecd606147c7d8f3c03ac9a5903728c2c8af26f8987e9defaa67e743346eaa1aefc14df2c5e2b03b341966c38f51cb32964f7

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.33

C2

qwerty:4444

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
install_dir
dfgh
install_file
rftgh.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rftgh = "C:\\Users\\Admin\\AppData\\Local\\dfgh\\rftgh.exe䜀"	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rftgh = "C:\\Users\\Admin\\AppData\\Local\\dfgh\\rftgh.exe먀"	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rftgh = "C:\\Users\\Admin\\AppData\\Local\\dfgh\\rftgh.exe"	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rftgh = "C:\\Users\\Admin\\AppData\\Local\\dfgh\\rftgh.exe伀"	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rftgh = "C:\\Users\\Admin\\AppData\\Local\\dfgh\\rftgh.exe䌀"	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rftgh = "C:\\Users\\Admin\\AppData\\Local\\dfgh\\rftgh.exe䈀"	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rftgh = "C:\\Users\\Admin\\AppData\\Local\\dfgh\\rftgh.exeԀ"	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rftgh = "C:\\Users\\Admin\\AppData\\Local\\dfgh\\rftgh.exe\uf100"	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rftgh = "C:\\Users\\Admin\\AppData\\Local\\dfgh\\rftgh.exeЀ"	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe

pid	process
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe

Suspicious behavior: RenamesItself 29 IoCs

Processes:

6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe

pid	process
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe

description pid process

Token: SeShutdownPrivilege 4212 6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe

description	pid	process
Token: SeShutdownPrivilege	4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe

pid	process
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
4212	6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe

C:\Users\Admin\AppData\Local\Temp\6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe
"C:\Users\Admin\AppData\Local\Temp\6b42f40e4ab8f5c0ba3020a38e52d42cec276685060d41e2805f66869ff587e5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4212-130-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/4212-131-0x0000000074B80000-0x0000000074BB9000-memory.dmp

Filesize
228KB

Download
memory/4212-132-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-133-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-134-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-135-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-136-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-137-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-138-0x0000000074B80000-0x0000000074BB9000-memory.dmp

Filesize
228KB

Download
memory/4212-139-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-140-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-141-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-142-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-143-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-144-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-145-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-146-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-147-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/4212-148-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads