bitrat | 9a94526af5d19bcf180fce60337990aa2ca9faae1e6e2c913904e5f66f1c0bca

General

Target

MAOISKUDTHHDBENR.exe
Size

300.0MB
MD5

75982f6745193533c0794af8942c23fd
SHA1

1883c8aa732a0f3b280edb3d3426b8dfcd5bdb09
SHA256

9a94526af5d19bcf180fce60337990aa2ca9faae1e6e2c913904e5f66f1c0bca
SHA512

c9de7e051e14f40a93e620eca74d964d4ac13bafdab3e9aa14ae302a3f524343dfb1524bde53a062f38c2edc2e9d61fe423aabf6672fddcd546495a81a9a3534

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

gvbeds.exe

pid process

1752 gvbeds.exe

pid	process
1752	gvbeds.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/944-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/944-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/944-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/944-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/944-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/944-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/944-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/944-74-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2008-93-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2008-94-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

vbc.exevbc.exe

pid process

944 vbc.exe
944 vbc.exe
944 vbc.exe
944 vbc.exe
944 vbc.exe
2008 vbc.exe

pid	process
944	vbc.exe
944	vbc.exe
944	vbc.exe
944	vbc.exe
944	vbc.exe
2008	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

MAOISKUDTHHDBENR.exegvbeds.exe

description	pid	process	target process
PID 1348 set thread context of 944	1348	MAOISKUDTHHDBENR.exe	vbc.exe
PID 1752 set thread context of 2008	1752	gvbeds.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

108 schtasks.exe
1672 schtasks.exe

pid	process
108	schtasks.exe
1672	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	944	vbc.exe
Token: SeShutdownPrivilege	944	vbc.exe
Token: SeDebugPrivilege	2008	vbc.exe
Token: SeShutdownPrivilege	2008	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exe

pid process

944 vbc.exe
944 vbc.exe

pid	process
944	vbc.exe
944	vbc.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

MAOISKUDTHHDBENR.execmd.exetaskeng.exegvbeds.execmd.exe

description	pid	process	target process
PID 1348 wrote to memory of 984	1348	MAOISKUDTHHDBENR.exe	cmd.exe
PID 1348 wrote to memory of 984	1348	MAOISKUDTHHDBENR.exe	cmd.exe
PID 1348 wrote to memory of 984	1348	MAOISKUDTHHDBENR.exe	cmd.exe
PID 1348 wrote to memory of 984	1348	MAOISKUDTHHDBENR.exe	cmd.exe
PID 984 wrote to memory of 108	984	cmd.exe	schtasks.exe
PID 984 wrote to memory of 108	984	cmd.exe	schtasks.exe
PID 984 wrote to memory of 108	984	cmd.exe	schtasks.exe
PID 984 wrote to memory of 108	984	cmd.exe	schtasks.exe
PID 1348 wrote to memory of 748	1348	MAOISKUDTHHDBENR.exe	cmd.exe
PID 1348 wrote to memory of 748	1348	MAOISKUDTHHDBENR.exe	cmd.exe
PID 1348 wrote to memory of 748	1348	MAOISKUDTHHDBENR.exe	cmd.exe
PID 1348 wrote to memory of 748	1348	MAOISKUDTHHDBENR.exe	cmd.exe
PID 1348 wrote to memory of 944	1348	MAOISKUDTHHDBENR.exe	vbc.exe
PID 1348 wrote to memory of 944	1348	MAOISKUDTHHDBENR.exe	vbc.exe
PID 1348 wrote to memory of 944	1348	MAOISKUDTHHDBENR.exe	vbc.exe
PID 1348 wrote to memory of 944	1348	MAOISKUDTHHDBENR.exe	vbc.exe
PID 1348 wrote to memory of 944	1348	MAOISKUDTHHDBENR.exe	vbc.exe
PID 1348 wrote to memory of 944	1348	MAOISKUDTHHDBENR.exe	vbc.exe
PID 1348 wrote to memory of 944	1348	MAOISKUDTHHDBENR.exe	vbc.exe
PID 1348 wrote to memory of 944	1348	MAOISKUDTHHDBENR.exe	vbc.exe
PID 1704 wrote to memory of 1752	1704	taskeng.exe	gvbeds.exe
PID 1704 wrote to memory of 1752	1704	taskeng.exe	gvbeds.exe
PID 1704 wrote to memory of 1752	1704	taskeng.exe	gvbeds.exe
PID 1704 wrote to memory of 1752	1704	taskeng.exe	gvbeds.exe
PID 1752 wrote to memory of 460	1752	gvbeds.exe	cmd.exe
PID 1752 wrote to memory of 460	1752	gvbeds.exe	cmd.exe
PID 1752 wrote to memory of 460	1752	gvbeds.exe	cmd.exe
PID 1752 wrote to memory of 460	1752	gvbeds.exe	cmd.exe
PID 1752 wrote to memory of 1788	1752	gvbeds.exe	cmd.exe
PID 1752 wrote to memory of 1788	1752	gvbeds.exe	cmd.exe
PID 1752 wrote to memory of 1788	1752	gvbeds.exe	cmd.exe
PID 1752 wrote to memory of 1788	1752	gvbeds.exe	cmd.exe
PID 460 wrote to memory of 1672	460	cmd.exe	schtasks.exe
PID 460 wrote to memory of 1672	460	cmd.exe	schtasks.exe
PID 460 wrote to memory of 1672	460	cmd.exe	schtasks.exe
PID 460 wrote to memory of 1672	460	cmd.exe	schtasks.exe
PID 1752 wrote to memory of 2008	1752	gvbeds.exe	vbc.exe
PID 1752 wrote to memory of 2008	1752	gvbeds.exe	vbc.exe
PID 1752 wrote to memory of 2008	1752	gvbeds.exe	vbc.exe
PID 1752 wrote to memory of 2008	1752	gvbeds.exe	vbc.exe
PID 1752 wrote to memory of 2008	1752	gvbeds.exe	vbc.exe
PID 1752 wrote to memory of 2008	1752	gvbeds.exe	vbc.exe
PID 1752 wrote to memory of 2008	1752	gvbeds.exe	vbc.exe
PID 1752 wrote to memory of 2008	1752	gvbeds.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\MAOISKUDTHHDBENR.exe
"C:\Users\Admin\AppData\Local\Temp\MAOISKUDTHHDBENR.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\gvbeds.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\gvbeds.exe'" /f
3⤵
- Creates scheduled task(s)
PID:108

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\MAOISKUDTHHDBENR.exe" "C:\Users\Admin\AppData\Roaming\gvbeds.exe"
2⤵
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:944

C:\Windows\system32\taskeng.exe
taskeng.exe {2A86CF48-86DC-4CEA-8DB5-BE1884E3C0BC} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Roaming\gvbeds.exe
C:\Users\Admin\AppData\Roaming\gvbeds.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\gvbeds.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\gvbeds.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1672

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\gvbeds.exe" "C:\Users\Admin\AppData\Roaming\gvbeds.exe"
3⤵
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gvbeds.exe

Filesize
300.0MB

MD5
75982f6745193533c0794af8942c23fd

SHA1
1883c8aa732a0f3b280edb3d3426b8dfcd5bdb09

SHA256
9a94526af5d19bcf180fce60337990aa2ca9faae1e6e2c913904e5f66f1c0bca

SHA512
c9de7e051e14f40a93e620eca74d964d4ac13bafdab3e9aa14ae302a3f524343dfb1524bde53a062f38c2edc2e9d61fe423aabf6672fddcd546495a81a9a3534

Download Submit
C:\Users\Admin\AppData\Roaming\gvbeds.exe

Filesize
300.0MB

MD5
75982f6745193533c0794af8942c23fd

SHA1
1883c8aa732a0f3b280edb3d3426b8dfcd5bdb09

SHA256
9a94526af5d19bcf180fce60337990aa2ca9faae1e6e2c913904e5f66f1c0bca

SHA512
c9de7e051e14f40a93e620eca74d964d4ac13bafdab3e9aa14ae302a3f524343dfb1524bde53a062f38c2edc2e9d61fe423aabf6672fddcd546495a81a9a3534

Download Submit
memory/108-57-0x0000000000000000-mapping.dmp

Download
memory/460-80-0x0000000000000000-mapping.dmp

Download
memory/748-58-0x0000000000000000-mapping.dmp

Download
memory/944-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/944-77-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/944-78-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/944-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/944-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/944-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/944-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/944-64-0x00000000007E2730-mapping.dmp

Download
memory/944-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/944-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/944-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/944-76-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/944-74-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/944-75-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/984-56-0x0000000000000000-mapping.dmp

Download
memory/1348-54-0x0000000000B30000-0x0000000000CBC000-memory.dmp

Filesize
1.5MB

Download
memory/1348-55-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1672-82-0x0000000000000000-mapping.dmp

Download
memory/1752-73-0x0000000000E70000-0x0000000000FFC000-memory.dmp

Filesize
1.5MB

Download
memory/1752-71-0x0000000000000000-mapping.dmp

Download
memory/1788-81-0x0000000000000000-mapping.dmp

Download
memory/2008-88-0x00000000007E2730-mapping.dmp

Download
memory/2008-93-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2008-94-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads