bitrat | f038d9065406391e3c711ceb73d5e30f1021f75a086d275750488fbde9cf2d72

General

Target

DHL_51015370367858.exe
Size

1.9MB
MD5

97fb1f63882abcbf894a43a528e4cb7a
SHA1

753c06c8b807a4e1f6b518cc0bc1350a09d8a922
SHA256

f038d9065406391e3c711ceb73d5e30f1021f75a086d275750488fbde9cf2d72
SHA512

aefd423c08320ae04fdb0072b04e70e27c8ca2cba9046f677a43783f8b64613b193bbb6a39daffd5db6a1c27478394c8c0c47c0a82d461b508c20bd466260e43

Score

10^/10

bitrat suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

godfavor.duckdns.org:2349

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1708-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1708-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1708-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1708-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1708-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1708-68-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1708-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1708-73-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

DHL_51015370367858.exe

pid process

1708 DHL_51015370367858.exe
1708 DHL_51015370367858.exe
1708 DHL_51015370367858.exe
1708 DHL_51015370367858.exe
1708 DHL_51015370367858.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL_51015370367858.exe

description pid process target process

PID 1068 set thread context of 1708 1068 DHL_51015370367858.exe DHL_51015370367858.exe

pid	process
1708	DHL_51015370367858.exe
1708	DHL_51015370367858.exe
1708	DHL_51015370367858.exe
1708	DHL_51015370367858.exe
1708	DHL_51015370367858.exe

description	pid	process	target process
PID 1068 set thread context of 1708	1068	DHL_51015370367858.exe	DHL_51015370367858.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

DHL_51015370367858.exe

pid	process
1068	DHL_51015370367858.exe
1068	DHL_51015370367858.exe
1068	DHL_51015370367858.exe
1068	DHL_51015370367858.exe
1068	DHL_51015370367858.exe
1068	DHL_51015370367858.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

DHL_51015370367858.exeDHL_51015370367858.exe

description	pid	process
Token: SeDebugPrivilege	1068	DHL_51015370367858.exe
Token: SeDebugPrivilege	1708	DHL_51015370367858.exe
Token: SeShutdownPrivilege	1708	DHL_51015370367858.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

DHL_51015370367858.exe

pid process

1708 DHL_51015370367858.exe
1708 DHL_51015370367858.exe

pid	process
1708	DHL_51015370367858.exe
1708	DHL_51015370367858.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

DHL_51015370367858.exe

description	pid	process	target process
PID 1068 wrote to memory of 1708	1068	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 1068 wrote to memory of 1708	1068	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 1068 wrote to memory of 1708	1068	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 1068 wrote to memory of 1708	1068	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 1068 wrote to memory of 1708	1068	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 1068 wrote to memory of 1708	1068	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 1068 wrote to memory of 1708	1068	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 1068 wrote to memory of 1708	1068	DHL_51015370367858.exe	DHL_51015370367858.exe

C:\Users\Admin\AppData\Local\Temp\DHL_51015370367858.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_51015370367858.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\DHL_51015370367858.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_51015370367858.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-54-0x0000000001380000-0x000000000156C000-memory.dmp

Filesize
1.9MB

Download
memory/1068-55-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1068-56-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/1068-57-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download
memory/1068-58-0x0000000008030000-0x00000000081EC000-memory.dmp

Filesize
1.7MB

Download
memory/1068-59-0x0000000009690000-0x0000000009808000-memory.dmp

Filesize
1.5MB

Download
memory/1708-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1708-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1708-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1708-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1708-65-0x00000000007E2730-mapping.dmp

Download
memory/1708-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1708-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1708-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1708-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1708-71-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1708-72-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1708-73-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1708-74-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1708-75-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads