bitrat | bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3

General

Target

21f894391eaac76010275132312ac5c8.exe
Size

1.4MB
MD5

21f894391eaac76010275132312ac5c8
SHA1

c2f20f6d6a8881ddd0ac04f9d87a11d2e9a817f3
SHA256

bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3
SHA512

7cdd5fdfb40027a6c6fd5a6dbb0621a29dd183d318be6d203bca51b699c3e26219a4910cfc1ceaaa2183103577eb86e1fb84426e6b8a6f07127abb72bf36244e

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

trotox.duckdns.org:55441

Attributes

communication_password
4b49ee1f55b1900518dfb23fd2d7c702
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4260-132-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4260-135-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4260-141-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3728-143-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3708-144-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

21f894391eaac76010275132312ac5c8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	21f894391eaac76010275132312ac5c8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

21f894391eaac76010275132312ac5c8.exe21f894391eaac76010275132312ac5c8.exe21f894391eaac76010275132312ac5c8.exe

pid	process
4260	21f894391eaac76010275132312ac5c8.exe
4260	21f894391eaac76010275132312ac5c8.exe
4260	21f894391eaac76010275132312ac5c8.exe
4260	21f894391eaac76010275132312ac5c8.exe
4260	21f894391eaac76010275132312ac5c8.exe
3708	21f894391eaac76010275132312ac5c8.exe
3728	21f894391eaac76010275132312ac5c8.exe
3708	21f894391eaac76010275132312ac5c8.exe
3708	21f894391eaac76010275132312ac5c8.exe
3708	21f894391eaac76010275132312ac5c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 12 IoCs

Processes:

21f894391eaac76010275132312ac5c8.exe21f894391eaac76010275132312ac5c8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\21f894391eaac76010275132312ac5c8.exe -wdkill"	21f894391eaac76010275132312ac5c8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\21f894391eaac76010275132312ac5c8.exe -prs 4260䌀"	21f894391eaac76010275132312ac5c8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command	21f894391eaac76010275132312ac5c8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	21f894391eaac76010275132312ac5c8.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell	21f894391eaac76010275132312ac5c8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\21f894391eaac76010275132312ac5c8.exe -uac 4260䌀"	21f894391eaac76010275132312ac5c8.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open	21f894391eaac76010275132312ac5c8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\DelegateExecute	21f894391eaac76010275132312ac5c8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open	21f894391eaac76010275132312ac5c8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell	21f894391eaac76010275132312ac5c8.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command	21f894391eaac76010275132312ac5c8.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	21f894391eaac76010275132312ac5c8.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

21f894391eaac76010275132312ac5c8.exe21f894391eaac76010275132312ac5c8.exe21f894391eaac76010275132312ac5c8.exe

description	pid	process
Token: SeShutdownPrivilege	4260	21f894391eaac76010275132312ac5c8.exe
Token: SeDebugPrivilege	3708	21f894391eaac76010275132312ac5c8.exe
Token: SeDebugPrivilege	3728	21f894391eaac76010275132312ac5c8.exe
Token: SeShutdownPrivilege	3708	21f894391eaac76010275132312ac5c8.exe
Token: SeShutdownPrivilege	3728	21f894391eaac76010275132312ac5c8.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

21f894391eaac76010275132312ac5c8.exe21f894391eaac76010275132312ac5c8.exe

pid	process
4260	21f894391eaac76010275132312ac5c8.exe
4260	21f894391eaac76010275132312ac5c8.exe
3708	21f894391eaac76010275132312ac5c8.exe
3708	21f894391eaac76010275132312ac5c8.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

21f894391eaac76010275132312ac5c8.exefodhelper.exefodhelper.exe

description	pid	process	target process
PID 4260 wrote to memory of 5032	4260	21f894391eaac76010275132312ac5c8.exe	fodhelper.exe
PID 4260 wrote to memory of 5032	4260	21f894391eaac76010275132312ac5c8.exe	fodhelper.exe
PID 4260 wrote to memory of 4416	4260	21f894391eaac76010275132312ac5c8.exe	fodhelper.exe
PID 4260 wrote to memory of 4416	4260	21f894391eaac76010275132312ac5c8.exe	fodhelper.exe
PID 4260 wrote to memory of 1116	4260	21f894391eaac76010275132312ac5c8.exe	fodhelper.exe
PID 4260 wrote to memory of 1116	4260	21f894391eaac76010275132312ac5c8.exe	fodhelper.exe
PID 5032 wrote to memory of 3708	5032	fodhelper.exe	21f894391eaac76010275132312ac5c8.exe
PID 5032 wrote to memory of 3708	5032	fodhelper.exe	21f894391eaac76010275132312ac5c8.exe
PID 5032 wrote to memory of 3708	5032	fodhelper.exe	21f894391eaac76010275132312ac5c8.exe
PID 4416 wrote to memory of 3728	4416	fodhelper.exe	21f894391eaac76010275132312ac5c8.exe
PID 4416 wrote to memory of 3728	4416	fodhelper.exe	21f894391eaac76010275132312ac5c8.exe
PID 4416 wrote to memory of 3728	4416	fodhelper.exe	21f894391eaac76010275132312ac5c8.exe

C:\Users\Admin\AppData\Local\Temp\21f894391eaac76010275132312ac5c8.exe
"C:\Users\Admin\AppData\Local\Temp\21f894391eaac76010275132312ac5c8.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5032

C:\Users\Admin\AppData\Local\Temp\21f894391eaac76010275132312ac5c8.exe
"C:\Users\Admin\AppData\Local\Temp\21f894391eaac76010275132312ac5c8.exe" -prs 4260
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3708

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4416

C:\Users\Admin\AppData\Local\Temp\21f894391eaac76010275132312ac5c8.exe
"C:\Users\Admin\AppData\Local\Temp\21f894391eaac76010275132312ac5c8.exe" -prs 4260
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
2⤵
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-138-0x0000000000000000-mapping.dmp

Download
memory/3708-144-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3708-139-0x0000000000000000-mapping.dmp

Download
memory/3728-143-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3728-140-0x0000000000000000-mapping.dmp

Download
memory/4260-135-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4260-132-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4260-141-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4260-142-0x00000000750C0000-0x00000000750F9000-memory.dmp

Filesize
228KB

Download
memory/4260-134-0x0000000075440000-0x0000000075479000-memory.dmp

Filesize
228KB

Download
memory/4260-133-0x00000000750C0000-0x00000000750F9000-memory.dmp

Filesize
228KB

Download
memory/4416-137-0x0000000000000000-mapping.dmp

Download
memory/5032-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads