bitrat | a97feddf4e0e68b4fd86b4643babcc7b799c54f08724cf4fcfd1038e918ebff0

General

Target

SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
Size

2.1MB
MD5

e12a6196b7111c16b714203901bc04df
SHA1

964d35b27808d800a5ce11561786de6a2d8af0b1
SHA256

a97feddf4e0e68b4fd86b4643babcc7b799c54f08724cf4fcfd1038e918ebff0
SHA512

6dfb722593ff5b56c3b3852225aebb1797f947e9baa26a644c500bdbcb664e77b60866430e19c1ea2f2881947a999696870d081baa25a035021ec21b456eb2a7

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

godfavor.duckdns.org:2349

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1144-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1144-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1144-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1144-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1144-68-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1144-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1144-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1144-74-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe

pid	process
1144	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
1144	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
1144	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
1144	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe

description	pid	process	target process
PID 836 set thread context of 1144	836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1932 836 WerFault.exe SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe

pid	pid_target	process	target process
1932	836	WerFault.exe	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe

pid	process
836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen18.23529.6748.exeSecuriteInfo.com.Trojan.Siggen18.23529.6748.exe

description	pid	process
Token: SeDebugPrivilege	836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
Token: SeDebugPrivilege	1144	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
Token: SeShutdownPrivilege	1144	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe

pid process

1144 SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
1144 SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe

description	pid	process	target process
PID 836 wrote to memory of 1144	836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
PID 836 wrote to memory of 1144	836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
PID 836 wrote to memory of 1144	836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
PID 836 wrote to memory of 1144	836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
PID 836 wrote to memory of 1144	836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
PID 836 wrote to memory of 1144	836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
PID 836 wrote to memory of 1144	836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
PID 836 wrote to memory of 1144	836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
PID 836 wrote to memory of 1932	836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe	WerFault.exe
PID 836 wrote to memory of 1932	836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe	WerFault.exe
PID 836 wrote to memory of 1932	836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe	WerFault.exe
PID 836 wrote to memory of 1932	836	SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen18.23529.6748.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 948
2⤵
- Program crash
PID:1932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-54-0x0000000001030000-0x000000000124C000-memory.dmp

Filesize
2.1MB

Download
memory/836-55-0x0000000075381000-0x0000000075383000-memory.dmp

Filesize
8KB

Download
memory/836-56-0x0000000000450000-0x000000000046A000-memory.dmp

Filesize
104KB

Download
memory/836-57-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/836-58-0x000000000ABC0000-0x000000000AD80000-memory.dmp

Filesize
1.8MB

Download
memory/836-59-0x0000000005075000-0x0000000005086000-memory.dmp

Filesize
68KB

Download
memory/836-60-0x000000000AD80000-0x000000000AEF8000-memory.dmp

Filesize
1.5MB

Download
memory/836-73-0x0000000005075000-0x0000000005086000-memory.dmp

Filesize
68KB

Download
memory/1144-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1144-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1144-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1144-66-0x00000000007E2740-mapping.dmp

Download
memory/1144-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1144-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1144-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1144-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1144-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1144-74-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1932-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads