bitrat | 4af0df4c6e52c90d6bdca52fed0a6b0b91f1f1c8a1ea03423c21b561a0d7e1fb

General

Target

SPALOKSIUJAHYDRS.exe
Size

300.0MB
MD5

3d5164f658be6404df30aafb7e35bcfb
SHA1

2505d715093103eda2cff86f8328e32b75462242
SHA256

d8556549bce64ee0047c08b7326b609a8a406981749575320b89ef47cc9678f4
SHA512

f5e1ae28040781c05ebbdd37ee4f340c0b7bf27f4c97006fc9a150bdc7e1905081c9e416bf915da33377a22e6eb54b416b0cc6fa1af14212ca558db11cea9cc9

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

jnhygtfr.exejnhygtfr.exe

pid process

1280 jnhygtfr.exe
1696 jnhygtfr.exe

pid	process
1280	jnhygtfr.exe
1696	jnhygtfr.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/828-60-0x0000000000590000-0x0000000000974000-memory.dmp	upx
behavioral1/memory/828-62-0x0000000000590000-0x0000000000974000-memory.dmp	upx
behavioral1/memory/828-65-0x0000000000590000-0x0000000000974000-memory.dmp	upx
behavioral1/memory/828-66-0x0000000000590000-0x0000000000974000-memory.dmp	upx
behavioral1/memory/828-69-0x0000000000590000-0x0000000000974000-memory.dmp	upx
behavioral1/memory/828-72-0x0000000000590000-0x0000000000974000-memory.dmp	upx
behavioral1/memory/1552-90-0x00000000006A0000-0x0000000000A84000-memory.dmp	upx
behavioral1/memory/1552-89-0x00000000006A0000-0x0000000000A84000-memory.dmp	upx
behavioral1/memory/1552-93-0x00000000006A0000-0x0000000000A84000-memory.dmp	upx
behavioral1/memory/1552-94-0x00000000006A0000-0x0000000000A84000-memory.dmp	upx
behavioral1/memory/1296-108-0x00000000007E0000-0x0000000000BC4000-memory.dmp	upx
behavioral1/memory/1296-109-0x00000000007E0000-0x0000000000BC4000-memory.dmp	upx
behavioral1/memory/1296-110-0x00000000007E0000-0x0000000000BC4000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

vbc.exevbc.exe

pid process

828 vbc.exe
828 vbc.exe
828 vbc.exe
828 vbc.exe
828 vbc.exe
1552 vbc.exe

pid	process
828	vbc.exe
828	vbc.exe
828	vbc.exe
828	vbc.exe
828	vbc.exe
1552	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SPALOKSIUJAHYDRS.exejnhygtfr.exejnhygtfr.exe

description	pid	process	target process
PID 544 set thread context of 828	544	SPALOKSIUJAHYDRS.exe	vbc.exe
PID 1280 set thread context of 1552	1280	jnhygtfr.exe	vbc.exe
PID 1696 set thread context of 1296	1696	jnhygtfr.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1456 schtasks.exe
1644 schtasks.exe
1708 schtasks.exe

pid	process
1456	schtasks.exe
1644	schtasks.exe
1708	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	828	vbc.exe
Token: SeShutdownPrivilege	828	vbc.exe
Token: SeDebugPrivilege	1552	vbc.exe
Token: SeShutdownPrivilege	1552	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exe

pid process

828 vbc.exe
828 vbc.exe

pid	process
828	vbc.exe
828	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SPALOKSIUJAHYDRS.execmd.exetaskeng.exejnhygtfr.execmd.exejnhygtfr.execmd.exe

description	pid	process	target process
PID 544 wrote to memory of 1772	544	SPALOKSIUJAHYDRS.exe	cmd.exe
PID 544 wrote to memory of 1772	544	SPALOKSIUJAHYDRS.exe	cmd.exe
PID 544 wrote to memory of 1772	544	SPALOKSIUJAHYDRS.exe	cmd.exe
PID 544 wrote to memory of 1772	544	SPALOKSIUJAHYDRS.exe	cmd.exe
PID 1772 wrote to memory of 1456	1772	cmd.exe	schtasks.exe
PID 1772 wrote to memory of 1456	1772	cmd.exe	schtasks.exe
PID 1772 wrote to memory of 1456	1772	cmd.exe	schtasks.exe
PID 1772 wrote to memory of 1456	1772	cmd.exe	schtasks.exe
PID 544 wrote to memory of 984	544	SPALOKSIUJAHYDRS.exe	cmd.exe
PID 544 wrote to memory of 984	544	SPALOKSIUJAHYDRS.exe	cmd.exe
PID 544 wrote to memory of 984	544	SPALOKSIUJAHYDRS.exe	cmd.exe
PID 544 wrote to memory of 984	544	SPALOKSIUJAHYDRS.exe	cmd.exe
PID 544 wrote to memory of 828	544	SPALOKSIUJAHYDRS.exe	vbc.exe
PID 544 wrote to memory of 828	544	SPALOKSIUJAHYDRS.exe	vbc.exe
PID 544 wrote to memory of 828	544	SPALOKSIUJAHYDRS.exe	vbc.exe
PID 544 wrote to memory of 828	544	SPALOKSIUJAHYDRS.exe	vbc.exe
PID 544 wrote to memory of 828	544	SPALOKSIUJAHYDRS.exe	vbc.exe
PID 544 wrote to memory of 828	544	SPALOKSIUJAHYDRS.exe	vbc.exe
PID 544 wrote to memory of 828	544	SPALOKSIUJAHYDRS.exe	vbc.exe
PID 544 wrote to memory of 828	544	SPALOKSIUJAHYDRS.exe	vbc.exe
PID 1888 wrote to memory of 1280	1888	taskeng.exe	jnhygtfr.exe
PID 1888 wrote to memory of 1280	1888	taskeng.exe	jnhygtfr.exe
PID 1888 wrote to memory of 1280	1888	taskeng.exe	jnhygtfr.exe
PID 1888 wrote to memory of 1280	1888	taskeng.exe	jnhygtfr.exe
PID 1280 wrote to memory of 284	1280	jnhygtfr.exe	cmd.exe
PID 1280 wrote to memory of 284	1280	jnhygtfr.exe	cmd.exe
PID 1280 wrote to memory of 284	1280	jnhygtfr.exe	cmd.exe
PID 1280 wrote to memory of 284	1280	jnhygtfr.exe	cmd.exe
PID 1280 wrote to memory of 1584	1280	jnhygtfr.exe	cmd.exe
PID 1280 wrote to memory of 1584	1280	jnhygtfr.exe	cmd.exe
PID 1280 wrote to memory of 1584	1280	jnhygtfr.exe	cmd.exe
PID 1280 wrote to memory of 1584	1280	jnhygtfr.exe	cmd.exe
PID 284 wrote to memory of 1644	284	cmd.exe	schtasks.exe
PID 284 wrote to memory of 1644	284	cmd.exe	schtasks.exe
PID 284 wrote to memory of 1644	284	cmd.exe	schtasks.exe
PID 284 wrote to memory of 1644	284	cmd.exe	schtasks.exe
PID 1280 wrote to memory of 1552	1280	jnhygtfr.exe	vbc.exe
PID 1280 wrote to memory of 1552	1280	jnhygtfr.exe	vbc.exe
PID 1280 wrote to memory of 1552	1280	jnhygtfr.exe	vbc.exe
PID 1280 wrote to memory of 1552	1280	jnhygtfr.exe	vbc.exe
PID 1280 wrote to memory of 1552	1280	jnhygtfr.exe	vbc.exe
PID 1280 wrote to memory of 1552	1280	jnhygtfr.exe	vbc.exe
PID 1280 wrote to memory of 1552	1280	jnhygtfr.exe	vbc.exe
PID 1280 wrote to memory of 1552	1280	jnhygtfr.exe	vbc.exe
PID 1888 wrote to memory of 1696	1888	taskeng.exe	jnhygtfr.exe
PID 1888 wrote to memory of 1696	1888	taskeng.exe	jnhygtfr.exe
PID 1888 wrote to memory of 1696	1888	taskeng.exe	jnhygtfr.exe
PID 1888 wrote to memory of 1696	1888	taskeng.exe	jnhygtfr.exe
PID 1696 wrote to memory of 1756	1696	jnhygtfr.exe	cmd.exe
PID 1696 wrote to memory of 1756	1696	jnhygtfr.exe	cmd.exe
PID 1696 wrote to memory of 1756	1696	jnhygtfr.exe	cmd.exe
PID 1696 wrote to memory of 1756	1696	jnhygtfr.exe	cmd.exe
PID 1696 wrote to memory of 1204	1696	jnhygtfr.exe	cmd.exe
PID 1696 wrote to memory of 1204	1696	jnhygtfr.exe	cmd.exe
PID 1696 wrote to memory of 1204	1696	jnhygtfr.exe	cmd.exe
PID 1696 wrote to memory of 1204	1696	jnhygtfr.exe	cmd.exe
PID 1756 wrote to memory of 1708	1756	cmd.exe	schtasks.exe
PID 1756 wrote to memory of 1708	1756	cmd.exe	schtasks.exe
PID 1756 wrote to memory of 1708	1756	cmd.exe	schtasks.exe
PID 1756 wrote to memory of 1708	1756	cmd.exe	schtasks.exe
PID 1696 wrote to memory of 1296	1696	jnhygtfr.exe	vbc.exe
PID 1696 wrote to memory of 1296	1696	jnhygtfr.exe	vbc.exe
PID 1696 wrote to memory of 1296	1696	jnhygtfr.exe	vbc.exe
PID 1696 wrote to memory of 1296	1696	jnhygtfr.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\SPALOKSIUJAHYDRS.exe
"C:\Users\Admin\AppData\Local\Temp\SPALOKSIUJAHYDRS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jnhygtfr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jnhygtfr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1456

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SPALOKSIUJAHYDRS.exe" "C:\Users\Admin\AppData\Roaming\jnhygtfr.exe"
2⤵
PID:984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:828

C:\Windows\system32\taskeng.exe
taskeng.exe {1903D993-D6F2-4569-854B-6908E14DB466} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Roaming\jnhygtfr.exe
C:\Users\Admin\AppData\Roaming\jnhygtfr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jnhygtfr.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jnhygtfr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1644

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jnhygtfr.exe" "C:\Users\Admin\AppData\Roaming\jnhygtfr.exe"
3⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Users\Admin\AppData\Roaming\jnhygtfr.exe
C:\Users\Admin\AppData\Roaming\jnhygtfr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jnhygtfr.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jnhygtfr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1708

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jnhygtfr.exe" "C:\Users\Admin\AppData\Roaming\jnhygtfr.exe"
3⤵
PID:1204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\jnhygtfr.exe
Filesize
300.0MB

MD5
3d5164f658be6404df30aafb7e35bcfb

SHA1
2505d715093103eda2cff86f8328e32b75462242

SHA256
d8556549bce64ee0047c08b7326b609a8a406981749575320b89ef47cc9678f4

SHA512
f5e1ae28040781c05ebbdd37ee4f340c0b7bf27f4c97006fc9a150bdc7e1905081c9e416bf915da33377a22e6eb54b416b0cc6fa1af14212ca558db11cea9cc9

Download Submit
C:\Users\Admin\AppData\Roaming\jnhygtfr.exe
Filesize
300.0MB

MD5
3d5164f658be6404df30aafb7e35bcfb

SHA1
2505d715093103eda2cff86f8328e32b75462242

SHA256
d8556549bce64ee0047c08b7326b609a8a406981749575320b89ef47cc9678f4

SHA512
f5e1ae28040781c05ebbdd37ee4f340c0b7bf27f4c97006fc9a150bdc7e1905081c9e416bf915da33377a22e6eb54b416b0cc6fa1af14212ca558db11cea9cc9

Download Submit
C:\Users\Admin\AppData\Roaming\jnhygtfr.exe
Filesize
300.0MB

MD5
3d5164f658be6404df30aafb7e35bcfb

SHA1
2505d715093103eda2cff86f8328e32b75462242

SHA256
d8556549bce64ee0047c08b7326b609a8a406981749575320b89ef47cc9678f4

SHA512
f5e1ae28040781c05ebbdd37ee4f340c0b7bf27f4c97006fc9a150bdc7e1905081c9e416bf915da33377a22e6eb54b416b0cc6fa1af14212ca558db11cea9cc9

Download Submit
memory/284-80-0x0000000000000000-mapping.dmp

Download
memory/544-55-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/544-54-0x0000000000B60000-0x0000000000CEC000-memory.dmp

Filesize
1.5MB

Download
memory/828-71-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/828-64-0x00000000007E2730-mapping.dmp

Download
memory/828-65-0x0000000000590000-0x0000000000974000-memory.dmp

Filesize
3.9MB

Download
memory/828-66-0x0000000000590000-0x0000000000974000-memory.dmp

Filesize
3.9MB

Download
memory/828-69-0x0000000000590000-0x0000000000974000-memory.dmp

Filesize
3.9MB

Download
memory/828-70-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/828-62-0x0000000000590000-0x0000000000974000-memory.dmp

Filesize
3.9MB

Download
memory/828-72-0x0000000000590000-0x0000000000974000-memory.dmp

Filesize
3.9MB

Download
memory/828-73-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/828-74-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/828-60-0x0000000000590000-0x0000000000974000-memory.dmp

Filesize
3.9MB

Download
memory/984-58-0x0000000000000000-mapping.dmp

Download
memory/1204-100-0x0000000000000000-mapping.dmp

Download
memory/1280-76-0x0000000000000000-mapping.dmp

Download
memory/1280-78-0x0000000000310000-0x000000000049C000-memory.dmp

Filesize
1.5MB

Download
memory/1296-110-0x00000000007E0000-0x0000000000BC4000-memory.dmp

Filesize
3.9MB

Download
memory/1296-109-0x00000000007E0000-0x0000000000BC4000-memory.dmp

Filesize
3.9MB

Download
memory/1296-108-0x00000000007E0000-0x0000000000BC4000-memory.dmp

Filesize
3.9MB

Download
memory/1296-107-0x00000000007E2730-mapping.dmp

Download
memory/1456-57-0x0000000000000000-mapping.dmp

Download
memory/1552-89-0x00000000006A0000-0x0000000000A84000-memory.dmp

Filesize
3.9MB

Download
memory/1552-94-0x00000000006A0000-0x0000000000A84000-memory.dmp

Filesize
3.9MB

Download
memory/1552-93-0x00000000006A0000-0x0000000000A84000-memory.dmp

Filesize
3.9MB

Download
memory/1552-88-0x00000000007E2730-mapping.dmp

Download
memory/1552-90-0x00000000006A0000-0x0000000000A84000-memory.dmp

Filesize
3.9MB

Download
memory/1584-81-0x0000000000000000-mapping.dmp

Download
memory/1644-82-0x0000000000000000-mapping.dmp

Download
memory/1696-95-0x0000000000000000-mapping.dmp

Download
memory/1696-97-0x00000000001A0000-0x000000000032C000-memory.dmp

Filesize
1.5MB

Download
memory/1708-101-0x0000000000000000-mapping.dmp

Download
memory/1756-99-0x0000000000000000-mapping.dmp

Download
memory/1772-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads