bitrat | be3d815c8d513afdf55476fe42678549fdc65ea00a77fc8c7ba7c18b374d9723

Analysis

max time kernel
148s
max time network
160s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-08-2022 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

image logger.exe
Size

22.5MB
MD5

5f0555a10263f383467a920d22febeed
SHA1

0e4b694afc583d51148fe1368516b4345eeb816a
SHA256

be3d815c8d513afdf55476fe42678549fdc65ea00a77fc8c7ba7c18b374d9723
SHA512

b1703db887aaaae3578de96d3de0a6510e071495c0266c88e464a9dd4248f60884b1a6eb92d3a7b6b81265fc1447096a04fd075b8fe2d1f5fcd463c7ddb588a3
SSDEEP

393216:9S6mhw3e/m3pfCTnxtX1JFT9NvKL0oBKcRabopyznWR/eBX:9SdhdKitXPFJhKL1RiopyzD

Score

10^/10

bitrat persistence pyinstaller trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

Cluluvsu-34807.portmap.host:34807

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
install_dir
sdudir
install_file
sudir
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 4 IoCs

Processes:

BUILT.EXESTUB.EXEBUILT.EXE

pid process

948 BUILT.EXE
1680 STUB.EXE
1600 BUILT.EXE
1220

pid	process
948	BUILT.EXE
1680	STUB.EXE
1600	BUILT.EXE
1220

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI9482\python310.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI9482\python310.dll	upx
behavioral1/memory/1600-71-0x000007FEF5D00000-0x000007FEF6164000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

image logger.exeBUILT.EXE

pid process

1284 image logger.exe
1284 image logger.exe
1284 image logger.exe
1600 BUILT.EXE
1220

pid	process
1284	image logger.exe
1284	image logger.exe
1284	image logger.exe
1600	BUILT.EXE
1220

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

STUB.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\sudir = "C:\\Users\\Admin\\AppData\\Local\\sdudir\\sudir"	STUB.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

STUB.EXE

pid process

1680 STUB.EXE
1680 STUB.EXE
1680 STUB.EXE
1680 STUB.EXE

pid	process
1680	STUB.EXE
1680	STUB.EXE
1680	STUB.EXE
1680	STUB.EXE

Detects Pyinstaller 6 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\BUILT.EXE	pyinstaller
C:\Users\Admin\AppData\Roaming\BUILT.EXE	pyinstaller
C:\Users\Admin\AppData\Roaming\BUILT.EXE	pyinstaller
C:\Users\Admin\AppData\Roaming\BUILT.EXE	pyinstaller
\Users\Admin\AppData\Roaming\BUILT.EXE	pyinstaller
\Users\Admin\AppData\Roaming\BUILT.EXE	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

STUB.EXE

description pid process

Token: SeDebugPrivilege 1680 STUB.EXE
Token: SeShutdownPrivilege 1680 STUB.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

STUB.EXE

pid process

1680 STUB.EXE
1680 STUB.EXE

description	pid	process
Token: SeDebugPrivilege	1680	STUB.EXE
Token: SeShutdownPrivilege	1680	STUB.EXE

pid	process
1680	STUB.EXE
1680	STUB.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

image logger.exeBUILT.EXE

description	pid	process	target process
PID 1284 wrote to memory of 948	1284	image logger.exe	BUILT.EXE
PID 1284 wrote to memory of 948	1284	image logger.exe	BUILT.EXE
PID 1284 wrote to memory of 948	1284	image logger.exe	BUILT.EXE
PID 1284 wrote to memory of 948	1284	image logger.exe	BUILT.EXE
PID 1284 wrote to memory of 1680	1284	image logger.exe	STUB.EXE
PID 1284 wrote to memory of 1680	1284	image logger.exe	STUB.EXE
PID 1284 wrote to memory of 1680	1284	image logger.exe	STUB.EXE
PID 1284 wrote to memory of 1680	1284	image logger.exe	STUB.EXE
PID 948 wrote to memory of 1600	948	BUILT.EXE	BUILT.EXE
PID 948 wrote to memory of 1600	948	BUILT.EXE	BUILT.EXE
PID 948 wrote to memory of 1600	948	BUILT.EXE	BUILT.EXE

C:\Users\Admin\AppData\Local\Temp\image logger.exe
"C:\Users\Admin\AppData\Local\Temp\image logger.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Roaming\BUILT.EXE
"C:\Users\Admin\AppData\Roaming\BUILT.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Roaming\BUILT.EXE
"C:\Users\Admin\AppData\Roaming\BUILT.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600

C:\Users\Admin\AppData\Roaming\STUB.EXE
"C:\Users\Admin\AppData\Roaming\STUB.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI9482\python310.dll
Filesize
1.4MB

MD5
99cb804abc9a8f4cb8d08d77e515dcb7

SHA1
0d833cb729f3d5c845491b61b47018c82065f4ad

SHA256
8d23914f6eaa371f2e0c15816c7ab62573d428e750d1bbcd9a07498264d7d240

SHA512
43252d45803957ba79d42afdd12b956c3b829c9b00a78199c35e3eeb863d8c56f4f0b467faae227b7c058f59a3f11152f670090e2212eb6a2837378bca53ac82

Download Submit
C:\Users\Admin\AppData\Roaming\BUILT.EXE
Filesize
18.7MB

MD5
39a855952fec2668f443dc0ebce979b2

SHA1
2a5a7ebcca12ab6d02e51673e5fe7feb18f6a1ee

SHA256
9bf96b388e0e2ef799a30dee445dde6ee745af8a47c9db9ec924865cf37c56f9

SHA512
f9a7817da4722cb657afea0bb7d936cd8e5b221cf1b9121ef5541121d04ed2458a07e77bfe25917fe268123099a99929d17f63f3cb4869d8835dbf88fca3155d

Download Submit
C:\Users\Admin\AppData\Roaming\BUILT.EXE
Filesize
18.7MB

MD5
39a855952fec2668f443dc0ebce979b2

SHA1
2a5a7ebcca12ab6d02e51673e5fe7feb18f6a1ee

SHA256
9bf96b388e0e2ef799a30dee445dde6ee745af8a47c9db9ec924865cf37c56f9

SHA512
f9a7817da4722cb657afea0bb7d936cd8e5b221cf1b9121ef5541121d04ed2458a07e77bfe25917fe268123099a99929d17f63f3cb4869d8835dbf88fca3155d

Download Submit
C:\Users\Admin\AppData\Roaming\BUILT.EXE
Filesize
18.7MB

MD5
39a855952fec2668f443dc0ebce979b2

SHA1
2a5a7ebcca12ab6d02e51673e5fe7feb18f6a1ee

SHA256
9bf96b388e0e2ef799a30dee445dde6ee745af8a47c9db9ec924865cf37c56f9

SHA512
f9a7817da4722cb657afea0bb7d936cd8e5b221cf1b9121ef5541121d04ed2458a07e77bfe25917fe268123099a99929d17f63f3cb4869d8835dbf88fca3155d

Download Submit
C:\Users\Admin\AppData\Roaming\STUB.EXE
Filesize
3.8MB

MD5
08b8d6d55fa0ab4034e2080270e83fdb

SHA1
4fba6fa6251f41e381588335e7b73c77765149f9

SHA256
f0c2e55ec391d428f5f79b270bc770f5c684414becd8d2c7f0c8fb78462b47bb

SHA512
83ff113311596c16c8f6192ce7b1e03125327f225d9734074508ea9a4925e897ea6b5afbb648434082bf5d058ed442bb5993f057be407282ec20e5e6613a2beb

Download Submit
C:\Users\Admin\AppData\Roaming\STUB.EXE
Filesize
3.8MB

MD5
08b8d6d55fa0ab4034e2080270e83fdb

SHA1
4fba6fa6251f41e381588335e7b73c77765149f9

SHA256
f0c2e55ec391d428f5f79b270bc770f5c684414becd8d2c7f0c8fb78462b47bb

SHA512
83ff113311596c16c8f6192ce7b1e03125327f225d9734074508ea9a4925e897ea6b5afbb648434082bf5d058ed442bb5993f057be407282ec20e5e6613a2beb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9482\python310.dll
Filesize
1.4MB

MD5
99cb804abc9a8f4cb8d08d77e515dcb7

SHA1
0d833cb729f3d5c845491b61b47018c82065f4ad

SHA256
8d23914f6eaa371f2e0c15816c7ab62573d428e750d1bbcd9a07498264d7d240

SHA512
43252d45803957ba79d42afdd12b956c3b829c9b00a78199c35e3eeb863d8c56f4f0b467faae227b7c058f59a3f11152f670090e2212eb6a2837378bca53ac82

Download Submit
\Users\Admin\AppData\Roaming\BUILT.EXE
Filesize
18.7MB

MD5
39a855952fec2668f443dc0ebce979b2

SHA1
2a5a7ebcca12ab6d02e51673e5fe7feb18f6a1ee

SHA256
9bf96b388e0e2ef799a30dee445dde6ee745af8a47c9db9ec924865cf37c56f9

SHA512
f9a7817da4722cb657afea0bb7d936cd8e5b221cf1b9121ef5541121d04ed2458a07e77bfe25917fe268123099a99929d17f63f3cb4869d8835dbf88fca3155d

Download Submit
\Users\Admin\AppData\Roaming\BUILT.EXE
Filesize
18.7MB

MD5
39a855952fec2668f443dc0ebce979b2

SHA1
2a5a7ebcca12ab6d02e51673e5fe7feb18f6a1ee

SHA256
9bf96b388e0e2ef799a30dee445dde6ee745af8a47c9db9ec924865cf37c56f9

SHA512
f9a7817da4722cb657afea0bb7d936cd8e5b221cf1b9121ef5541121d04ed2458a07e77bfe25917fe268123099a99929d17f63f3cb4869d8835dbf88fca3155d

Download Submit
\Users\Admin\AppData\Roaming\BUILT.EXE
Filesize
18.7MB

MD5
39a855952fec2668f443dc0ebce979b2

SHA1
2a5a7ebcca12ab6d02e51673e5fe7feb18f6a1ee

SHA256
9bf96b388e0e2ef799a30dee445dde6ee745af8a47c9db9ec924865cf37c56f9

SHA512
f9a7817da4722cb657afea0bb7d936cd8e5b221cf1b9121ef5541121d04ed2458a07e77bfe25917fe268123099a99929d17f63f3cb4869d8835dbf88fca3155d

Download Submit
\Users\Admin\AppData\Roaming\STUB.EXE
Filesize
3.8MB

MD5
08b8d6d55fa0ab4034e2080270e83fdb

SHA1
4fba6fa6251f41e381588335e7b73c77765149f9

SHA256
f0c2e55ec391d428f5f79b270bc770f5c684414becd8d2c7f0c8fb78462b47bb

SHA512
83ff113311596c16c8f6192ce7b1e03125327f225d9734074508ea9a4925e897ea6b5afbb648434082bf5d058ed442bb5993f057be407282ec20e5e6613a2beb

Download Submit
\Users\Admin\AppData\Roaming\STUB.EXE
Filesize
3.8MB

MD5
08b8d6d55fa0ab4034e2080270e83fdb

SHA1
4fba6fa6251f41e381588335e7b73c77765149f9

SHA256
f0c2e55ec391d428f5f79b270bc770f5c684414becd8d2c7f0c8fb78462b47bb

SHA512
83ff113311596c16c8f6192ce7b1e03125327f225d9734074508ea9a4925e897ea6b5afbb648434082bf5d058ed442bb5993f057be407282ec20e5e6613a2beb

Download Submit
memory/948-58-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/948-56-0x0000000000000000-mapping.dmp

Download
memory/1284-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1600-66-0x0000000000000000-mapping.dmp

Download
memory/1600-71-0x000007FEF5D00000-0x000007FEF6164000-memory.dmp

Filesize
4.4MB

Download
memory/1680-62-0x0000000000000000-mapping.dmp

Download
memory/1680-64-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download