bitrat | f038d9065406391e3c711ceb73d5e30f1021f75a086d275750488fbde9cf2d72

General

Target

DHL_51015370367858.exe
Size

1.9MB
MD5

97fb1f63882abcbf894a43a528e4cb7a
SHA1

753c06c8b807a4e1f6b518cc0bc1350a09d8a922
SHA256

f038d9065406391e3c711ceb73d5e30f1021f75a086d275750488fbde9cf2d72
SHA512

aefd423c08320ae04fdb0072b04e70e27c8ca2cba9046f677a43783f8b64613b193bbb6a39daffd5db6a1c27478394c8c0c47c0a82d461b508c20bd466260e43

Score

10^/10

bitrat suricata trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

godfavor.duckdns.org:2349

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5096-140-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5096-141-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5096-142-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5096-143-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5096-144-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5096-147-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

DHL_51015370367858.exe

pid process

5096 DHL_51015370367858.exe
5096 DHL_51015370367858.exe
5096 DHL_51015370367858.exe
5096 DHL_51015370367858.exe
5096 DHL_51015370367858.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL_51015370367858.exe

description pid process target process

PID 4624 set thread context of 5096 4624 DHL_51015370367858.exe DHL_51015370367858.exe

pid	process
5096	DHL_51015370367858.exe
5096	DHL_51015370367858.exe
5096	DHL_51015370367858.exe
5096	DHL_51015370367858.exe
5096	DHL_51015370367858.exe

description	pid	process	target process
PID 4624 set thread context of 5096	4624	DHL_51015370367858.exe	DHL_51015370367858.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DHL_51015370367858.exe

pid	process
4624	DHL_51015370367858.exe
4624	DHL_51015370367858.exe
4624	DHL_51015370367858.exe
4624	DHL_51015370367858.exe
4624	DHL_51015370367858.exe
4624	DHL_51015370367858.exe
4624	DHL_51015370367858.exe
4624	DHL_51015370367858.exe
4624	DHL_51015370367858.exe
4624	DHL_51015370367858.exe
4624	DHL_51015370367858.exe
4624	DHL_51015370367858.exe
4624	DHL_51015370367858.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DHL_51015370367858.exeDHL_51015370367858.exe

description pid process

Token: SeDebugPrivilege 4624 DHL_51015370367858.exe
Token: SeShutdownPrivilege 5096 DHL_51015370367858.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

DHL_51015370367858.exe

pid process

5096 DHL_51015370367858.exe
5096 DHL_51015370367858.exe

description	pid	process
Token: SeDebugPrivilege	4624	DHL_51015370367858.exe
Token: SeShutdownPrivilege	5096	DHL_51015370367858.exe

pid	process
5096	DHL_51015370367858.exe
5096	DHL_51015370367858.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

DHL_51015370367858.exe

description	pid	process	target process
PID 4624 wrote to memory of 3376	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 3376	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 3376	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 1256	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 1256	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 1256	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 4132	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 4132	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 4132	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 5096	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 5096	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 5096	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 5096	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 5096	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 5096	4624	DHL_51015370367858.exe	DHL_51015370367858.exe
PID 4624 wrote to memory of 5096	4624	DHL_51015370367858.exe	DHL_51015370367858.exe

C:\Users\Admin\AppData\Local\Temp\DHL_51015370367858.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_51015370367858.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\DHL_51015370367858.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_51015370367858.exe"
2⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\DHL_51015370367858.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_51015370367858.exe"
2⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\DHL_51015370367858.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_51015370367858.exe"
2⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\DHL_51015370367858.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_51015370367858.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-137-0x0000000000000000-mapping.dmp

Download
memory/3376-136-0x0000000000000000-mapping.dmp

Download
memory/4132-138-0x0000000000000000-mapping.dmp

Download
memory/4624-130-0x0000000000270000-0x000000000045C000-memory.dmp

Filesize
1.9MB

Download
memory/4624-131-0x00000000053A0000-0x0000000005944000-memory.dmp

Filesize
5.6MB

Download
memory/4624-132-0x0000000004E90000-0x0000000004F22000-memory.dmp

Filesize
584KB

Download
memory/4624-133-0x0000000004E00000-0x0000000004E0A000-memory.dmp

Filesize
40KB

Download
memory/4624-134-0x00000000089C0000-0x0000000008A5C000-memory.dmp

Filesize
624KB

Download
memory/4624-135-0x0000000000AF0000-0x0000000000B56000-memory.dmp

Filesize
408KB

Download
memory/5096-140-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5096-139-0x0000000000000000-mapping.dmp

Download
memory/5096-141-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5096-142-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5096-143-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5096-144-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5096-145-0x0000000074490000-0x00000000744C9000-memory.dmp

Filesize
228KB

Download
memory/5096-146-0x0000000074830000-0x0000000074869000-memory.dmp

Filesize
228KB

Download
memory/5096-147-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5096-148-0x0000000074490000-0x00000000744C9000-memory.dmp

Filesize
228KB

Download
memory/5096-149-0x0000000074830000-0x0000000074869000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads