bitrat | 9c457ce3eb5b5b0456c80609b512040696acab4f47d7b6879f0200e1b8501075

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2022 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order #115-46CYP-6543893216.exe
Size

391KB
MD5

e89986dbfdef6f38249ad35a87d93f33
SHA1

6c78e1cb8b361c4dba18451a12d42901c0a97ca1
SHA256

9c457ce3eb5b5b0456c80609b512040696acab4f47d7b6879f0200e1b8501075
SHA512

02188eaeb964750e666c9aff416d4a93d88a7d5f887d8c6a73066629f2f0ed101ee4ecb135a19664f83aeebf8ae0b7c40d177d3c34bc422c8b73f9c55d046e0b
SSDEEP

6144:xXifTDZUEd5UT2AyvSlKkl8ftbFq65LhhZMEUcQQiW:ADj9Nv0K5tbFq6xh8W

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

febbit2.ddns.net:6655

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Downloads MZ/PE file

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3768-137-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3768-139-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3768-138-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3768-140-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3768-141-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3768-144-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegAsm.exe

pid process

3768 RegAsm.exe
3768 RegAsm.exe
3768 RegAsm.exe
3768 RegAsm.exe
3768 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Order #115-46CYP-6543893216.exe

description pid process target process

PID 3188 set thread context of 3768 3188 Order #115-46CYP-6543893216.exe RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order #115-46CYP-6543893216.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 3188 Order #115-46CYP-6543893216.exe
Token: SeShutdownPrivilege 3768 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

3768 RegAsm.exe
3768 RegAsm.exe

pid	process
3768	RegAsm.exe
3768	RegAsm.exe
3768	RegAsm.exe
3768	RegAsm.exe
3768	RegAsm.exe

description	pid	process	target process
PID 3188 set thread context of 3768	3188	Order #115-46CYP-6543893216.exe	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3188	Order #115-46CYP-6543893216.exe
Token: SeShutdownPrivilege	3768	RegAsm.exe

pid	process
3768	RegAsm.exe
3768	RegAsm.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Order #115-46CYP-6543893216.exe

description	pid	process	target process
PID 3188 wrote to memory of 3768	3188	Order #115-46CYP-6543893216.exe	RegAsm.exe
PID 3188 wrote to memory of 3768	3188	Order #115-46CYP-6543893216.exe	RegAsm.exe
PID 3188 wrote to memory of 3768	3188	Order #115-46CYP-6543893216.exe	RegAsm.exe
PID 3188 wrote to memory of 3768	3188	Order #115-46CYP-6543893216.exe	RegAsm.exe
PID 3188 wrote to memory of 3768	3188	Order #115-46CYP-6543893216.exe	RegAsm.exe
PID 3188 wrote to memory of 3768	3188	Order #115-46CYP-6543893216.exe	RegAsm.exe
PID 3188 wrote to memory of 3768	3188	Order #115-46CYP-6543893216.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Order #115-46CYP-6543893216.exe
"C:\Users\Admin\AppData\Local\Temp\Order #115-46CYP-6543893216.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3188-132-0x00000000002A0000-0x0000000000308000-memory.dmp

Filesize
416KB

Download
memory/3188-133-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download
memory/3188-134-0x0000000004D40000-0x0000000004DD2000-memory.dmp

Filesize
584KB

Download
memory/3188-135-0x0000000004CD0000-0x0000000004CDA000-memory.dmp

Filesize
40KB

Download
memory/3768-136-0x0000000000000000-mapping.dmp

Download
memory/3768-137-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3768-139-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3768-138-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3768-140-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3768-141-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3768-142-0x0000000074E40000-0x0000000074E79000-memory.dmp

Filesize
228KB

Download
memory/3768-143-0x00000000751E0000-0x0000000075219000-memory.dmp

Filesize
228KB

Download
memory/3768-144-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3768-145-0x0000000074E40000-0x0000000074E79000-memory.dmp

Filesize
228KB

Download
memory/3768-146-0x00000000751E0000-0x0000000075219000-memory.dmp

Filesize
228KB

Download