bitrat | 23f0dcf06d4c4a7354f3e7f013022ed26afa823556e444054c1b0b4aec0bce78

General

Target

tmpbg_av_60.exe
Size

1.7MB
MD5

fad1b418110d37814930646d24ab4239
SHA1

f39606e98088b8e3e6d3707954c53385caf7f88a
SHA256

23f0dcf06d4c4a7354f3e7f013022ed26afa823556e444054c1b0b4aec0bce78
SHA512

d8c147683a4728383e80565ce538a0f12ad3191928158c33a65dfd6896e9ac33c58715fb199a88341ee206c6b85d18e7325d55616ebbbcc3c691c0f7f1344b97

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

kot-pandora.duckdns.org:24993

Attributes

communication_password
d6723e7cd6735df68d1ce4c704c29a04
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

rewfv.exe

pid process

552 rewfv.exe

pid	process
552	rewfv.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1192-59-0x0000000000430000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/1192-62-0x0000000000430000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/1192-63-0x0000000000430000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/1192-67-0x0000000000430000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/1192-71-0x0000000000430000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/1192-77-0x0000000000430000-0x0000000000814000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

RegAsm.exe

pid process

1192 RegAsm.exe
1192 RegAsm.exe
1192 RegAsm.exe
1192 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmpbg_av_60.exe

description pid process target process

PID 640 set thread context of 1192 640 tmpbg_av_60.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1176 schtasks.exe

pid	process
1192	RegAsm.exe
1192	RegAsm.exe
1192	RegAsm.exe
1192	RegAsm.exe

description	pid	process	target process
PID 640 set thread context of 1192	640	tmpbg_av_60.exe	RegAsm.exe

pid	process
1176	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tmpbg_av_60.exeRegAsm.exerewfv.exe

description	pid	process
Token: SeDebugPrivilege	640	tmpbg_av_60.exe
Token: SeDebugPrivilege	1192	RegAsm.exe
Token: SeShutdownPrivilege	1192	RegAsm.exe
Token: SeDebugPrivilege	552	rewfv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

1192 RegAsm.exe
1192 RegAsm.exe

pid	process
1192	RegAsm.exe
1192	RegAsm.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

tmpbg_av_60.execmd.exetaskeng.exe

description	pid	process	target process
PID 640 wrote to memory of 1192	640	tmpbg_av_60.exe	RegAsm.exe
PID 640 wrote to memory of 1192	640	tmpbg_av_60.exe	RegAsm.exe
PID 640 wrote to memory of 1192	640	tmpbg_av_60.exe	RegAsm.exe
PID 640 wrote to memory of 1192	640	tmpbg_av_60.exe	RegAsm.exe
PID 640 wrote to memory of 1192	640	tmpbg_av_60.exe	RegAsm.exe
PID 640 wrote to memory of 1192	640	tmpbg_av_60.exe	RegAsm.exe
PID 640 wrote to memory of 1192	640	tmpbg_av_60.exe	RegAsm.exe
PID 640 wrote to memory of 1192	640	tmpbg_av_60.exe	RegAsm.exe
PID 640 wrote to memory of 1192	640	tmpbg_av_60.exe	RegAsm.exe
PID 640 wrote to memory of 1192	640	tmpbg_av_60.exe	RegAsm.exe
PID 640 wrote to memory of 1192	640	tmpbg_av_60.exe	RegAsm.exe
PID 640 wrote to memory of 956	640	tmpbg_av_60.exe	cmd.exe
PID 640 wrote to memory of 956	640	tmpbg_av_60.exe	cmd.exe
PID 640 wrote to memory of 956	640	tmpbg_av_60.exe	cmd.exe
PID 640 wrote to memory of 956	640	tmpbg_av_60.exe	cmd.exe
PID 956 wrote to memory of 1176	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 1176	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 1176	956	cmd.exe	schtasks.exe
PID 956 wrote to memory of 1176	956	cmd.exe	schtasks.exe
PID 640 wrote to memory of 1180	640	tmpbg_av_60.exe	cmd.exe
PID 640 wrote to memory of 1180	640	tmpbg_av_60.exe	cmd.exe
PID 640 wrote to memory of 1180	640	tmpbg_av_60.exe	cmd.exe
PID 640 wrote to memory of 1180	640	tmpbg_av_60.exe	cmd.exe
PID 1484 wrote to memory of 552	1484	taskeng.exe	rewfv.exe
PID 1484 wrote to memory of 552	1484	taskeng.exe	rewfv.exe
PID 1484 wrote to memory of 552	1484	taskeng.exe	rewfv.exe
PID 1484 wrote to memory of 552	1484	taskeng.exe	rewfv.exe
PID 1484 wrote to memory of 552	1484	taskeng.exe	rewfv.exe
PID 1484 wrote to memory of 552	1484	taskeng.exe	rewfv.exe
PID 1484 wrote to memory of 552	1484	taskeng.exe	rewfv.exe

C:\Users\Admin\AppData\Local\Temp\tmpbg_av_60.exe
"C:\Users\Admin\AppData\Local\Temp\tmpbg_av_60.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\rewfv\rewfv.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\rewfv\rewfv.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1176

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\tmpbg_av_60.exe" "C:\Users\Admin\AppData\Roaming\rewfv\rewfv.exe"
2⤵
PID:1180

C:\Windows\system32\taskeng.exe
taskeng.exe {D1A42229-8757-4180-AAEE-C880A2EAB396} S-1-5-21-4084403625-2215941253-1760665084-1000:LDLTPJLN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Roaming\rewfv\rewfv.exe
C:\Users\Admin\AppData\Roaming\rewfv\rewfv.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rewfv\rewfv.exe
Filesize
1.7MB

MD5
fad1b418110d37814930646d24ab4239

SHA1
f39606e98088b8e3e6d3707954c53385caf7f88a

SHA256
23f0dcf06d4c4a7354f3e7f013022ed26afa823556e444054c1b0b4aec0bce78

SHA512
d8c147683a4728383e80565ce538a0f12ad3191928158c33a65dfd6896e9ac33c58715fb199a88341ee206c6b85d18e7325d55616ebbbcc3c691c0f7f1344b97

Download Submit
C:\Users\Admin\AppData\Roaming\rewfv\rewfv.exe
Filesize
1.7MB

MD5
fad1b418110d37814930646d24ab4239

SHA1
f39606e98088b8e3e6d3707954c53385caf7f88a

SHA256
23f0dcf06d4c4a7354f3e7f013022ed26afa823556e444054c1b0b4aec0bce78

SHA512
d8c147683a4728383e80565ce538a0f12ad3191928158c33a65dfd6896e9ac33c58715fb199a88341ee206c6b85d18e7325d55616ebbbcc3c691c0f7f1344b97

Download Submit
memory/552-75-0x0000000001130000-0x00000000012F0000-memory.dmp

Filesize
1.8MB

Download
memory/552-73-0x0000000000000000-mapping.dmp

Download
memory/640-55-0x0000000076921000-0x0000000076923000-memory.dmp

Filesize
8KB

Download
memory/640-54-0x0000000000C90000-0x0000000000E50000-memory.dmp

Filesize
1.8MB

Download
memory/956-64-0x0000000000000000-mapping.dmp

Download
memory/1176-68-0x0000000000000000-mapping.dmp

Download
memory/1180-70-0x0000000000000000-mapping.dmp

Download
memory/1192-61-0x00000000007E2740-mapping.dmp

Download
memory/1192-67-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download
memory/1192-71-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download
memory/1192-63-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download
memory/1192-62-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download
memory/1192-59-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download
memory/1192-57-0x00000000006A2000-0x0000000000813000-memory.dmp

Filesize
1.4MB

Download
memory/1192-77-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads