bitrat | 5772bd29784adbf084a02eb16b79167d007b9eac3821cfb789a26196368f3e2a

General

Target

SecuriteInfo.com.Variant.Bulz.730395.20983.exe
Size

1.8MB
MD5

2f739f97c66d3045db3493780644c7ad
SHA1

66c4b6042c730cac3d6fecf96c0d9cd20b71e47d
SHA256

5772bd29784adbf084a02eb16b79167d007b9eac3821cfb789a26196368f3e2a
SHA512

b56e3566e366ed36c24f0def539d31211eb53ce6c659db107e094a867a087375f2385c0c782850c2b350ba51aaf01365919a3218d47d3e77fbb2a891388172d0

Score

10^/10

bitrat persistence suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

SecuriteInfo.com.Variant.Bulz.730395.20983.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\xdcf.exe\","	SecuriteInfo.com.Variant.Bulz.730395.20983.exe

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4684-135-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4684-137-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4684-136-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4684-138-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4684-139-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4684-142-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegAsm.exe

pid process

4684 RegAsm.exe
4684 RegAsm.exe
4684 RegAsm.exe
4684 RegAsm.exe
4684 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Variant.Bulz.730395.20983.exe

description pid process target process

PID 4708 set thread context of 4684 4708 SecuriteInfo.com.Variant.Bulz.730395.20983.exe RegAsm.exe

pid	process
4684	RegAsm.exe
4684	RegAsm.exe
4684	RegAsm.exe
4684	RegAsm.exe
4684	RegAsm.exe

description	pid	process	target process
PID 4708 set thread context of 4684	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

SecuriteInfo.com.Variant.Bulz.730395.20983.exe

pid	process
4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe
4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe
4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe
4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe
4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe
4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe
4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe
4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe
4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe
4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Variant.Bulz.730395.20983.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 4708 SecuriteInfo.com.Variant.Bulz.730395.20983.exe
Token: SeShutdownPrivilege 4684 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

4684 RegAsm.exe
4684 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe
Token: SeShutdownPrivilege	4684	RegAsm.exe

pid	process
4684	RegAsm.exe
4684	RegAsm.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

SecuriteInfo.com.Variant.Bulz.730395.20983.exe

description	pid	process	target process
PID 4708 wrote to memory of 2988	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 4708 wrote to memory of 2988	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 4708 wrote to memory of 2988	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 4708 wrote to memory of 1820	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 4708 wrote to memory of 1820	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 4708 wrote to memory of 1820	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 4708 wrote to memory of 4684	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 4708 wrote to memory of 4684	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 4708 wrote to memory of 4684	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 4708 wrote to memory of 4684	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 4708 wrote to memory of 4684	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 4708 wrote to memory of 4684	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe
PID 4708 wrote to memory of 4684	4708	SecuriteInfo.com.Variant.Bulz.730395.20983.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.730395.20983.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.730395.20983.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
PID:1820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1820-133-0x0000000000000000-mapping.dmp

Download
memory/2988-132-0x0000000000000000-mapping.dmp

Download
memory/4684-137-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4684-134-0x0000000000000000-mapping.dmp

Download
memory/4684-135-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4684-136-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4684-138-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4684-139-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4684-140-0x0000000074230000-0x0000000074269000-memory.dmp

Filesize
228KB

Download
memory/4684-141-0x00000000745B0000-0x00000000745E9000-memory.dmp

Filesize
228KB

Download
memory/4684-142-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4684-143-0x0000000074230000-0x0000000074269000-memory.dmp

Filesize
228KB

Download
memory/4684-144-0x00000000745B0000-0x00000000745E9000-memory.dmp

Filesize
228KB

Download
memory/4708-131-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/4708-130-0x0000000000230000-0x0000000000410000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads