bitrat | 3ca3364bacc38346dd777c8f90de705fd01c008161c4d1fa149ccf1b6205bbfb

Analysis

max time kernel
150s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220718-en
resource tags

arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system
submitted
26-07-2022 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document.exe
Size

986KB
MD5

9bfee233b1eb08709245723a8a67bd58
SHA1

d2e1024fe896e61f3256ea1980fbdb34b493e959
SHA256

3ca3364bacc38346dd777c8f90de705fd01c008161c4d1fa149ccf1b6205bbfb
SHA512

9c8818c7694616130318f9b854d09777c6168c7c5d19d83269de4cbb22f6e60da081337bc0bb7eda9c9e52c171bbda1cda3959fa2a7e5001674bdaabc2972afd

Score

10^/10

bitrat modiloader persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

leaflet304.casacam.net:9090

Attributes

communication_password
b4df9f494056d51f86c7f1a89850c467
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Document.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bmxwsw = "C:\\Users\\Public\\Libraries\\wswxmB.url"	Document.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

logagent.exe

pid process

2368 logagent.exe
2368 logagent.exe
2368 logagent.exe
2368 logagent.exe
2368 logagent.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeDocument.exe

pid process

4188 powershell.exe
4188 powershell.exe
4188 powershell.exe
2672 Document.exe
2672 Document.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exelogagent.exe

description pid process

Token: SeDebugPrivilege 4188 powershell.exe
Token: SeShutdownPrivilege 2368 logagent.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

logagent.exe

pid process

2368 logagent.exe
2368 logagent.exe

pid	process
2368	logagent.exe
2368	logagent.exe
2368	logagent.exe
2368	logagent.exe
2368	logagent.exe

pid	process
4188	powershell.exe
4188	powershell.exe
4188	powershell.exe
2672	Document.exe
2672	Document.exe

description	pid	process
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeShutdownPrivilege	2368	logagent.exe

pid	process
2368	logagent.exe
2368	logagent.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Document.execmd.execmd.exenet.exe

description	pid	process	target process
PID 2672 wrote to memory of 640	2672	Document.exe	cmd.exe
PID 2672 wrote to memory of 640	2672	Document.exe	cmd.exe
PID 2672 wrote to memory of 640	2672	Document.exe	cmd.exe
PID 640 wrote to memory of 2284	640	cmd.exe	cmd.exe
PID 640 wrote to memory of 2284	640	cmd.exe	cmd.exe
PID 640 wrote to memory of 2284	640	cmd.exe	cmd.exe
PID 2284 wrote to memory of 2520	2284	cmd.exe	net.exe
PID 2284 wrote to memory of 2520	2284	cmd.exe	net.exe
PID 2284 wrote to memory of 2520	2284	cmd.exe	net.exe
PID 2520 wrote to memory of 2676	2520	net.exe	net1.exe
PID 2520 wrote to memory of 2676	2520	net.exe	net1.exe
PID 2520 wrote to memory of 2676	2520	net.exe	net1.exe
PID 2284 wrote to memory of 4188	2284	cmd.exe	powershell.exe
PID 2284 wrote to memory of 4188	2284	cmd.exe	powershell.exe
PID 2284 wrote to memory of 4188	2284	cmd.exe	powershell.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe
PID 2672 wrote to memory of 2368	2672	Document.exe	logagent.exe

C:\Users\Admin\AppData\Local\Temp\Document.exe
"C:\Users\Admin\AppData\Local\Temp\Document.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Bmxwswt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\BmxwswO.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:2676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SysWOW64\logagent.exe
"C:\Windows\System32\logagent.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\BmxwswO.bat
Filesize
1KB

MD5
df48c09f243ebcc8a165f77a1c2bf889

SHA1
455f7db0adcc2a58d006f1630fb0bd55cd868c07

SHA256
4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

SHA512
735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

Download Submit
C:\Users\Public\Libraries\Bmxwswt.bat
Filesize
55B

MD5
f85c34cc70fa337fe3db0f9d64bc8d67

SHA1
8212dc672f2fb7176935171195d6c6cf2def72d4

SHA256
fc9edc9ae7d9d719bb252658d2143c7458a772e844a80be1b52caf6396bbd9f2

SHA512
48c7c3a976a53f340470576620b5063273d7958fae6f22d98126a6f562b7a62f482aae450b533bc8b439afd35bbf2997d1b952baffd0c2ee3df63bb4397a395d

Download Submit
C:\Users\Public\Libraries\Cdex.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
memory/640-485-0x0000000000000000-mapping.dmp

Download
memory/2284-499-0x0000000000000000-mapping.dmp

Download
memory/2368-998-0x0000000050480000-0x0000000050864000-memory.dmp

Filesize
3.9MB

Download
memory/2368-996-0x0000000074080000-0x00000000740BA000-memory.dmp

Filesize
232KB

Download
memory/2368-958-0x0000000050480000-0x0000000050864000-memory.dmp

Filesize
3.9MB

Download
memory/2368-921-0x0000000000000000-mapping.dmp

Download
memory/2520-513-0x0000000000000000-mapping.dmp

Download
memory/2672-139-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-156-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-129-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-130-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-131-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-132-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-133-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-134-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-135-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-137-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-136-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-138-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-117-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-140-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-141-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-169-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-143-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-144-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-145-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-147-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-148-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-150-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-151-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-152-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-154-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-155-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-157-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-158-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-159-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-160-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-162-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-161-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-168-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-153-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-149-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-146-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-163-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-164-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-167-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-166-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-165-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-128-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-142-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-170-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-171-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-173-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-172-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-174-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-175-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-176-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-177-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-178-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-180-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-179-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-127-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-126-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-125-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-124-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-123-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-118-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-122-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-119-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-120-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2672-121-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/2676-533-0x0000000000000000-mapping.dmp

Download
memory/4188-642-0x0000000007600000-0x0000000007666000-memory.dmp

Filesize
408KB

Download
memory/4188-665-0x0000000008E70000-0x0000000008E8E000-memory.dmp

Filesize
120KB

Download
memory/4188-644-0x0000000007720000-0x0000000007A70000-memory.dmp

Filesize
3.3MB

Download
memory/4188-648-0x00000000075E0000-0x00000000075FC000-memory.dmp

Filesize
112KB

Download
memory/4188-643-0x0000000006E60000-0x0000000006EC6000-memory.dmp

Filesize
408KB

Download
memory/4188-652-0x0000000008100000-0x0000000008176000-memory.dmp

Filesize
472KB

Download
memory/4188-673-0x0000000008FD0000-0x0000000009075000-memory.dmp

Filesize
660KB

Download
memory/4188-640-0x0000000006F20000-0x0000000006F42000-memory.dmp

Filesize
136KB

Download
memory/4188-649-0x0000000007D00000-0x0000000007D4B000-memory.dmp

Filesize
300KB

Download
memory/4188-677-0x00000000091A0000-0x0000000009234000-memory.dmp

Filesize
592KB

Download
memory/4188-880-0x0000000009130000-0x000000000914A000-memory.dmp

Filesize
104KB

Download
memory/4188-885-0x0000000009120000-0x0000000009128000-memory.dmp

Filesize
32KB

Download
memory/4188-629-0x0000000006F60000-0x0000000007588000-memory.dmp

Filesize
6.2MB

Download
memory/4188-625-0x00000000043E0000-0x0000000004416000-memory.dmp

Filesize
216KB

Download
memory/4188-553-0x0000000000000000-mapping.dmp

Download
memory/4188-664-0x0000000008E90000-0x0000000008EC3000-memory.dmp

Filesize
204KB

Download