bitrat | 9afa8ea8064c15e349caad45d31c18c41349080c4ed1d35fdd3472659736a19b

General

Target

August PO#17526NR2600.exe
Size

463KB
MD5

a59cd30ab95f36253b463cd3ee7b9bbc
SHA1

3db7af3754a358220e1f9d83a97f3846f57e6ace
SHA256

9afa8ea8064c15e349caad45d31c18c41349080c4ed1d35fdd3472659736a19b
SHA512

fa649e81dd7dca0e1937b0c22ffe1a881c3b95160fbe3e272bc89ebabf75632c9d6e2597b9b71db3b7f2fff4a71ea080992aa25c4d80164ed7771a464609a0f7

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

103.153.79.240:1234

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

nm70Nh3yKFl7QC0r.exe

pid process

704 nm70Nh3yKFl7QC0r.exe
Loads dropped DLL 4 IoCs

Processes:

InstallUtil.exe

pid process

1520 InstallUtil.exe
1520 InstallUtil.exe
1520 InstallUtil.exe
1520 InstallUtil.exe

pid	process
704	nm70Nh3yKFl7QC0r.exe

pid	process
1520	InstallUtil.exe
1520	InstallUtil.exe
1520	InstallUtil.exe
1520	InstallUtil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

August PO#17526NR2600.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Khzttr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Btfke\\Khzttr.exe\""	August PO#17526NR2600.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

nm70Nh3yKFl7QC0r.exe

pid process

704 nm70Nh3yKFl7QC0r.exe
704 nm70Nh3yKFl7QC0r.exe
704 nm70Nh3yKFl7QC0r.exe
704 nm70Nh3yKFl7QC0r.exe
704 nm70Nh3yKFl7QC0r.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

August PO#17526NR2600.exe

description pid process target process

PID 1800 set thread context of 1520 1800 August PO#17526NR2600.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeAugust PO#17526NR2600.exe

pid process

896 powershell.exe
1800 August PO#17526NR2600.exe
1800 August PO#17526NR2600.exe
1800 August PO#17526NR2600.exe

pid	process
704	nm70Nh3yKFl7QC0r.exe
704	nm70Nh3yKFl7QC0r.exe
704	nm70Nh3yKFl7QC0r.exe
704	nm70Nh3yKFl7QC0r.exe
704	nm70Nh3yKFl7QC0r.exe

description	pid	process	target process
PID 1800 set thread context of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe

pid	process
896	powershell.exe
1800	August PO#17526NR2600.exe
1800	August PO#17526NR2600.exe
1800	August PO#17526NR2600.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeAugust PO#17526NR2600.exenm70Nh3yKFl7QC0r.exe

description	pid	process
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1800	August PO#17526NR2600.exe
Token: SeDebugPrivilege	704	nm70Nh3yKFl7QC0r.exe
Token: SeShutdownPrivilege	704	nm70Nh3yKFl7QC0r.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

nm70Nh3yKFl7QC0r.exe

pid process

704 nm70Nh3yKFl7QC0r.exe
704 nm70Nh3yKFl7QC0r.exe

pid	process
704	nm70Nh3yKFl7QC0r.exe
704	nm70Nh3yKFl7QC0r.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

August PO#17526NR2600.exeInstallUtil.exe

description	pid	process	target process
PID 1800 wrote to memory of 896	1800	August PO#17526NR2600.exe	powershell.exe
PID 1800 wrote to memory of 896	1800	August PO#17526NR2600.exe	powershell.exe
PID 1800 wrote to memory of 896	1800	August PO#17526NR2600.exe	powershell.exe
PID 1800 wrote to memory of 896	1800	August PO#17526NR2600.exe	powershell.exe
PID 1800 wrote to memory of 1984	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1984	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1984	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1984	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1984	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1984	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1984	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1800 wrote to memory of 1520	1800	August PO#17526NR2600.exe	InstallUtil.exe
PID 1520 wrote to memory of 704	1520	InstallUtil.exe	nm70Nh3yKFl7QC0r.exe
PID 1520 wrote to memory of 704	1520	InstallUtil.exe	nm70Nh3yKFl7QC0r.exe
PID 1520 wrote to memory of 704	1520	InstallUtil.exe	nm70Nh3yKFl7QC0r.exe
PID 1520 wrote to memory of 704	1520	InstallUtil.exe	nm70Nh3yKFl7QC0r.exe

C:\Users\Admin\AppData\Local\Temp\August PO#17526NR2600.exe
"C:\Users\Admin\AppData\Local\Temp\August PO#17526NR2600.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\nm70Nh3yKFl7QC0r.exe
    "C:\Users\Admin\AppData\Local\Temp\nm70Nh3yKFl7QC0r.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nm70Nh3yKFl7QC0r.exe

Filesize
3.8MB

MD5
086686330159cbeae2d5c94b25967fa9

SHA1
19f3571b45823fcf1b1c05cdd25f1c98c45c712a

SHA256
f93e5dfa75e3edfabc8bd414b9beaa735ccd8a91b12f9c57bb923aa5c3232e9d

SHA512
9ff98a9211162972fcbb277ce1d5cffea39303a25e7209b8a8a3d7ed0e135630b3dee122323c725022a078c462634b34c82ace4baf3680cedc1865f9c27dbba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nm70Nh3yKFl7QC0r.exe

Filesize
3.8MB

MD5
086686330159cbeae2d5c94b25967fa9

SHA1
19f3571b45823fcf1b1c05cdd25f1c98c45c712a

SHA256
f93e5dfa75e3edfabc8bd414b9beaa735ccd8a91b12f9c57bb923aa5c3232e9d

SHA512
9ff98a9211162972fcbb277ce1d5cffea39303a25e7209b8a8a3d7ed0e135630b3dee122323c725022a078c462634b34c82ace4baf3680cedc1865f9c27dbba5

Download Submit
\Users\Admin\AppData\Local\Temp\nm70Nh3yKFl7QC0r.exe

Filesize
3.8MB

MD5
086686330159cbeae2d5c94b25967fa9

SHA1
19f3571b45823fcf1b1c05cdd25f1c98c45c712a

SHA256
f93e5dfa75e3edfabc8bd414b9beaa735ccd8a91b12f9c57bb923aa5c3232e9d

SHA512
9ff98a9211162972fcbb277ce1d5cffea39303a25e7209b8a8a3d7ed0e135630b3dee122323c725022a078c462634b34c82ace4baf3680cedc1865f9c27dbba5

Download Submit
\Users\Admin\AppData\Local\Temp\nm70Nh3yKFl7QC0r.exe

Filesize
3.8MB

MD5
086686330159cbeae2d5c94b25967fa9

SHA1
19f3571b45823fcf1b1c05cdd25f1c98c45c712a

SHA256
f93e5dfa75e3edfabc8bd414b9beaa735ccd8a91b12f9c57bb923aa5c3232e9d

SHA512
9ff98a9211162972fcbb277ce1d5cffea39303a25e7209b8a8a3d7ed0e135630b3dee122323c725022a078c462634b34c82ace4baf3680cedc1865f9c27dbba5

Download Submit
\Users\Admin\AppData\Local\Temp\nm70Nh3yKFl7QC0r.exe

Filesize
3.8MB

MD5
086686330159cbeae2d5c94b25967fa9

SHA1
19f3571b45823fcf1b1c05cdd25f1c98c45c712a

SHA256
f93e5dfa75e3edfabc8bd414b9beaa735ccd8a91b12f9c57bb923aa5c3232e9d

SHA512
9ff98a9211162972fcbb277ce1d5cffea39303a25e7209b8a8a3d7ed0e135630b3dee122323c725022a078c462634b34c82ace4baf3680cedc1865f9c27dbba5

Download Submit
\Users\Admin\AppData\Local\Temp\nm70Nh3yKFl7QC0r.exe

Filesize
3.8MB

MD5
086686330159cbeae2d5c94b25967fa9

SHA1
19f3571b45823fcf1b1c05cdd25f1c98c45c712a

SHA256
f93e5dfa75e3edfabc8bd414b9beaa735ccd8a91b12f9c57bb923aa5c3232e9d

SHA512
9ff98a9211162972fcbb277ce1d5cffea39303a25e7209b8a8a3d7ed0e135630b3dee122323c725022a078c462634b34c82ace4baf3680cedc1865f9c27dbba5

Download Submit
memory/704-91-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/704-90-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/704-89-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/704-88-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/704-83-0x0000000000000000-mapping.dmp

Download
memory/896-62-0x000000006EB60000-0x000000006F10B000-memory.dmp

Filesize
5.7MB

Download
memory/896-61-0x000000006EB60000-0x000000006F10B000-memory.dmp

Filesize
5.7MB

Download
memory/896-58-0x0000000000000000-mapping.dmp

Download
memory/896-60-0x000000006EB60000-0x000000006F10B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-77-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-78-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-69-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-85-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1520-74-0x000000000040AE9E-mapping.dmp

Download
memory/1520-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1800-54-0x00000000003C0000-0x000000000043A000-memory.dmp

Filesize
488KB

Download
memory/1800-57-0x0000000076291000-0x0000000076293000-memory.dmp

Filesize
8KB

Download
memory/1800-56-0x0000000002160000-0x00000000021F2000-memory.dmp

Filesize
584KB

Download
memory/1800-55-0x0000000001F40000-0x0000000001FB4000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads