bitrat | 5772bd29784adbf084a02eb16b79167d007b9eac3821cfb789a26196368f3e2a

General

Target

SecuriteInfo.com.Variant.Bulz.730395.20983.exe
Size

1.8MB
MD5

2f739f97c66d3045db3493780644c7ad
SHA1

66c4b6042c730cac3d6fecf96c0d9cd20b71e47d
SHA256

5772bd29784adbf084a02eb16b79167d007b9eac3821cfb789a26196368f3e2a
SHA512

b56e3566e366ed36c24f0def539d31211eb53ce6c659db107e094a867a087375f2385c0c782850c2b350ba51aaf01365919a3218d47d3e77fbb2a891388172d0

Score

10^/10

bitrat persistence suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

SecuriteInfo.com.Variant.Bulz.730395.20983.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\xdcf.exe\","	SecuriteInfo.com.Variant.Bulz.730395.20983.exe

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1652-59-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1652-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1652-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1652-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1652-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1652-68-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1652-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1652-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1652-73-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegAsm.exe

pid process

1652 RegAsm.exe
1652 RegAsm.exe
1652 RegAsm.exe
1652 RegAsm.exe
1652 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Variant.Bulz.730395.20983.exe

description pid process target process

PID 1284 set thread context of 1652 1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

SecuriteInfo.com.Variant.Bulz.730395.20983.exe

pid process

1284 SecuriteInfo.com.Variant.Bulz.730395.20983.exe

pid	process
1652	RegAsm.exe
1652	RegAsm.exe
1652	RegAsm.exe
1652	RegAsm.exe
1652	RegAsm.exe

description	pid	process	target process
PID 1284 set thread context of 1652	1284	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe

pid	process
1284	SecuriteInfo.com.Variant.Bulz.730395.20983.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SecuriteInfo.com.Variant.Bulz.730395.20983.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1284	SecuriteInfo.com.Variant.Bulz.730395.20983.exe
Token: SeDebugPrivilege	1652	RegAsm.exe
Token: SeShutdownPrivilege	1652	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

1652 RegAsm.exe
1652 RegAsm.exe

pid	process
1652	RegAsm.exe
1652	RegAsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

SecuriteInfo.com.Variant.Bulz.730395.20983.exe

description	pid	process	target process
PID 1284 wrote to memory of 1652	1284	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 1284 wrote to memory of 1652	1284	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 1284 wrote to memory of 1652	1284	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 1284 wrote to memory of 1652	1284	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 1284 wrote to memory of 1652	1284	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 1284 wrote to memory of 1652	1284	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 1284 wrote to memory of 1652	1284	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 1284 wrote to memory of 1652	1284	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 1284 wrote to memory of 1652	1284	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 1284 wrote to memory of 1652	1284	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 1284 wrote to memory of 1652	1284	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.730395.20983.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.730395.20983.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1284-54-0x0000000000D70000-0x0000000000F50000-memory.dmp

Filesize
1.9MB

Download
memory/1284-55-0x0000000004FF0000-0x00000000051E0000-memory.dmp

Filesize
1.9MB

Download
memory/1284-56-0x0000000000AA0000-0x0000000000AEC000-memory.dmp

Filesize
304KB

Download
memory/1284-57-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1652-58-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1652-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1652-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1652-63-0x00000000007E2730-mapping.dmp

Download
memory/1652-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1652-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1652-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1652-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1652-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1652-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1652-71-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/1652-72-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/1652-73-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1652-74-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/1652-75-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads