bitrat | 96ad1fca026bd32391b2788796429e7299637b7a192ea5b5af31052a374ba396

General

Target

Document.exe
Size

791KB
MD5

7c0e98c4953d703942e3cad7d5853044
SHA1

a766257674c5785ebc8b86190b32c237e0591ddb
SHA256

96ad1fca026bd32391b2788796429e7299637b7a192ea5b5af31052a374ba396
SHA512

6dd746ee49e496098624c64c9e2e80893ef9bc4bf313a80dbb4e1d94543e9d38200786ce348732422a5aa127f7e182aa5782b541ed0b00b22098658a533dec66

Score

10^/10

bitrat modiloader persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

leaflet304.casacam.net:9090

Attributes

communication_password
b4df9f494056d51f86c7f1a89850c467
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3600-182-0x0000000050410000-0x00000000507F4000-memory.dmp	upx
behavioral2/memory/3600-183-0x0000000050410000-0x00000000507F4000-memory.dmp	upx
behavioral2/memory/3600-197-0x0000000050410000-0x00000000507F4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Document.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ylklio = "C:\\Users\\Public\\Libraries\\oilklY.url"	Document.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

logagent.exe

pid process

3600 logagent.exe
3600 logagent.exe
3600 logagent.exe
3600 logagent.exe
3600 logagent.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2304 powershell.exe
2304 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exelogagent.exe

description pid process

Token: SeDebugPrivilege 2304 powershell.exe
Token: SeShutdownPrivilege 3600 logagent.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

logagent.exe

pid process

3600 logagent.exe
3600 logagent.exe

pid	process
3600	logagent.exe
3600	logagent.exe
3600	logagent.exe
3600	logagent.exe
3600	logagent.exe

pid	process
2304	powershell.exe
2304	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeShutdownPrivilege	3600	logagent.exe

pid	process
3600	logagent.exe
3600	logagent.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

Document.execmd.execmd.exenet.exe

description	pid	process	target process
PID 4264 wrote to memory of 3400	4264	Document.exe	cmd.exe
PID 4264 wrote to memory of 3400	4264	Document.exe	cmd.exe
PID 4264 wrote to memory of 3400	4264	Document.exe	cmd.exe
PID 3400 wrote to memory of 2580	3400	cmd.exe	cmd.exe
PID 3400 wrote to memory of 2580	3400	cmd.exe	cmd.exe
PID 3400 wrote to memory of 2580	3400	cmd.exe	cmd.exe
PID 2580 wrote to memory of 1972	2580	cmd.exe	net.exe
PID 2580 wrote to memory of 1972	2580	cmd.exe	net.exe
PID 2580 wrote to memory of 1972	2580	cmd.exe	net.exe
PID 1972 wrote to memory of 1804	1972	net.exe	net1.exe
PID 1972 wrote to memory of 1804	1972	net.exe	net1.exe
PID 1972 wrote to memory of 1804	1972	net.exe	net1.exe
PID 2580 wrote to memory of 2304	2580	cmd.exe	powershell.exe
PID 2580 wrote to memory of 2304	2580	cmd.exe	powershell.exe
PID 2580 wrote to memory of 2304	2580	cmd.exe	powershell.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe
PID 4264 wrote to memory of 3600	4264	Document.exe	logagent.exe

C:\Users\Admin\AppData\Local\Temp\Document.exe
"C:\Users\Admin\AppData\Local\Temp\Document.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Ylkliot.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\YlklioO.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\SysWOW64\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\logagent.exe
"C:\Windows\System32\logagent.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
1⤵
PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Cdex.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\YlklioO.bat
Filesize
1KB

MD5
df48c09f243ebcc8a165f77a1c2bf889

SHA1
455f7db0adcc2a58d006f1630fb0bd55cd868c07

SHA256
4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

SHA512
735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

Download Submit
C:\Users\Public\Libraries\Ylkliot.bat
Filesize
55B

MD5
9c9199539865f8cc3af177ca26212b13

SHA1
4f500d388c2a89dee7ef29655473e81273446582

SHA256
9e1d027acf8d84e00dd71d212d4d78f8b0b1450923a726fe018c78a7418585bc

SHA512
d95a7613c0e8037ee581840fd67122bbb1966b5d6bf8212d562d836c943c9fa461b5e737f1d5692b9f695817e5717525863a1f4b90ae6d199f1d7fb361c8671a

Download Submit
memory/1804-173-0x0000000000000000-mapping.dmp

Download
memory/1972-172-0x0000000000000000-mapping.dmp

Download
memory/2304-187-0x00000000066F0000-0x0000000006722000-memory.dmp

Filesize
200KB

Download
memory/2304-192-0x00000000074D0000-0x00000000074DA000-memory.dmp

Filesize
40KB

Download
memory/2304-175-0x0000000000000000-mapping.dmp

Download
memory/2304-176-0x0000000004E10000-0x0000000004E46000-memory.dmp

Filesize
216KB

Download
memory/2304-177-0x0000000005480000-0x0000000005AA8000-memory.dmp

Filesize
6.2MB

Download
memory/2304-179-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/2304-180-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/2304-178-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download
memory/2304-196-0x0000000007770000-0x0000000007778000-memory.dmp

Filesize
32KB

Download
memory/2304-195-0x0000000007780000-0x000000000779A000-memory.dmp

Filesize
104KB

Download
memory/2304-194-0x0000000007680000-0x000000000768E000-memory.dmp

Filesize
56KB

Download
memory/2304-184-0x0000000005430000-0x000000000544E000-memory.dmp

Filesize
120KB

Download
memory/2304-193-0x00000000076C0000-0x0000000007756000-memory.dmp

Filesize
600KB

Download
memory/2304-190-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download
memory/2304-189-0x00000000066D0000-0x00000000066EE000-memory.dmp

Filesize
120KB

Download
memory/2304-188-0x0000000074F30000-0x0000000074F7C000-memory.dmp

Filesize
304KB

Download
memory/2304-191-0x0000000007390000-0x00000000073AA000-memory.dmp

Filesize
104KB

Download
memory/2580-170-0x0000000000000000-mapping.dmp

Download
memory/3400-168-0x0000000000000000-mapping.dmp

Download
memory/3600-186-0x0000000074860000-0x0000000074899000-memory.dmp

Filesize
228KB

Download
memory/3600-185-0x0000000074B80000-0x0000000074BB9000-memory.dmp

Filesize
228KB

Download
memory/3600-183-0x0000000050410000-0x00000000507F4000-memory.dmp

Filesize
3.9MB

Download
memory/3600-182-0x0000000050410000-0x00000000507F4000-memory.dmp

Filesize
3.9MB

Download
memory/3600-181-0x0000000000000000-mapping.dmp

Download
memory/3600-197-0x0000000050410000-0x00000000507F4000-memory.dmp

Filesize
3.9MB

Download
memory/3600-198-0x0000000074B80000-0x0000000074BB9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads