bitrat | 707ce4ec41a0a919739998e1260e50eb8eca2808ee69df64b07a5e985d1068ad

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2022 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.4MB
MD5

44e041dc2e445fcd33cc89b8453d0539
SHA1

99faf5ac243f30d7041e7018f41490023b552f60
SHA256

707ce4ec41a0a919739998e1260e50eb8eca2808ee69df64b07a5e985d1068ad
SHA512

893019fd4b969250464a551bdeb0fc050da5bc82f1680b5ef116e8cc43b2e0b4088ec351f91d0d4b379ffd61fb32a02a34ea11fb94ca35fc4ed064dda021bf18

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

trotox.duckdns.org:55441

Attributes

communication_password
4b49ee1f55b1900518dfb23fd2d7c702
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4120-132-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4120-134-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

tmp.exe

pid process

4120 tmp.exe
4120 tmp.exe
4120 tmp.exe
4120 tmp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmp.exe

description pid process

Token: SeShutdownPrivilege 4120 tmp.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exe

pid process

4120 tmp.exe
4120 tmp.exe

pid	process
4120	tmp.exe
4120	tmp.exe
4120	tmp.exe
4120	tmp.exe

description	pid	process
Token: SeShutdownPrivilege	4120	tmp.exe

pid	process
4120	tmp.exe
4120	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4120-132-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4120-133-0x0000000074540000-0x0000000074579000-memory.dmp

Filesize
228KB

Download
memory/4120-134-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4120-135-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/4120-136-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/4120-137-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/4120-138-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/4120-139-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/4120-140-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/4120-141-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/4120-142-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/4120-143-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/4120-144-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/4120-145-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/4120-146-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/4120-147-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/4120-148-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download