bitrat | 515dc9adafe29870ba7052d258ab73abbbaf728015ce92a7eb097033672e05d5

General

Target

cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe
Size

300.0MB
MD5

9edb373bba31ed74e5635c8ba1ccbc24
SHA1

7826110d94ad641b3cbed3eaa1c4e1ab5e329e26
SHA256

cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235
SHA512

90c56b8545767b8b3b3292ebc71d4683b6ff0c2e0fc1135159357707bfb462878c8044eced0f6138e7771d3db3c6e8a1b363d7663fd3e5e50f46254f22ee54e4
SSDEEP

24576:KQWUrKeG3ggoqRwkqbQsH50RPoE+G3ttsP2V4MM9obzQLAmLGAs4DyAunLw+6aI9:K2KtBCR3qP+JeO+/m6yDL9aITLUp

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

newbithere.duckdns.org:2005

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

pojhg.exe

pid process

1944 pojhg.exe

pid	process
1944	pojhg.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2016-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2016-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2016-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2016-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2016-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2016-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2016-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2016-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2016-76-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

RegAsm.exe

pid process

2016 RegAsm.exe
2016 RegAsm.exe
2016 RegAsm.exe
2016 RegAsm.exe

pid	process
2016	RegAsm.exe
2016	RegAsm.exe
2016	RegAsm.exe
2016	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe

description	pid	process	target process
PID 360 set thread context of 2016	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1216 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2016 RegAsm.exe
Token: SeShutdownPrivilege 2016 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

2016 RegAsm.exe
2016 RegAsm.exe

pid	process
1216	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2016	RegAsm.exe
Token: SeShutdownPrivilege	2016	RegAsm.exe

pid	process
2016	RegAsm.exe
2016	RegAsm.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.execmd.exetaskeng.exe

description	pid	process	target process
PID 360 wrote to memory of 1136	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	cmd.exe
PID 360 wrote to memory of 1136	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	cmd.exe
PID 360 wrote to memory of 1136	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	cmd.exe
PID 360 wrote to memory of 1136	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	cmd.exe
PID 1136 wrote to memory of 1216	1136	cmd.exe	schtasks.exe
PID 1136 wrote to memory of 1216	1136	cmd.exe	schtasks.exe
PID 1136 wrote to memory of 1216	1136	cmd.exe	schtasks.exe
PID 1136 wrote to memory of 1216	1136	cmd.exe	schtasks.exe
PID 360 wrote to memory of 1244	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	cmd.exe
PID 360 wrote to memory of 1244	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	cmd.exe
PID 360 wrote to memory of 1244	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	cmd.exe
PID 360 wrote to memory of 1244	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	cmd.exe
PID 360 wrote to memory of 2016	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 360 wrote to memory of 2016	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 360 wrote to memory of 2016	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 360 wrote to memory of 2016	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 360 wrote to memory of 2016	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 360 wrote to memory of 2016	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 360 wrote to memory of 2016	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 360 wrote to memory of 2016	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 360 wrote to memory of 2016	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 360 wrote to memory of 2016	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 360 wrote to memory of 2016	360	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 1184 wrote to memory of 1944	1184	taskeng.exe	pojhg.exe
PID 1184 wrote to memory of 1944	1184	taskeng.exe	pojhg.exe
PID 1184 wrote to memory of 1944	1184	taskeng.exe	pojhg.exe
PID 1184 wrote to memory of 1944	1184	taskeng.exe	pojhg.exe

C:\Users\Admin\AppData\Local\Temp\cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe
"C:\Users\Admin\AppData\Local\Temp\cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\pojhg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\pojhg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1216

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe" "C:\Users\Admin\AppData\Roaming\pojhg.exe"
2⤵
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\system32\taskeng.exe
taskeng.exe {E71B2451-E121-41F5-B74C-E64AC4BA03F6} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Roaming\pojhg.exe
C:\Users\Admin\AppData\Roaming\pojhg.exe
2⤵
- Executes dropped EXE
PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\pojhg.exe

Filesize
137.3MB

MD5
748726ad63706b1d8b7513186bbf4039

SHA1
4c376124e57306106509f3fb9b6fb5ee058dae57

SHA256
f0f60c1377394c9d66d8f07c530cf83325722bf0cd97aef49543da5a05cf23c6

SHA512
b1ba892343a82c21e3a67a953f703312eec60dd95fb6097f5d950ee1c3f2d42f4ed6452488811ed77f6763ee31d3e8108d16d85b8a4be4c24dabeb136e04dbef

Download Submit
C:\Users\Admin\AppData\Roaming\pojhg.exe

Filesize
134.8MB

MD5
a934903c119d6241b0f9d218a7b79a9d

SHA1
770d598d978e81f5f2d38f1b45e964b1315a115c

SHA256
b3a8078fa5c93becc242ed3b42540dcc96132a7aa9e501340fb597db931edc2d

SHA512
5e90fdcd548bd6bdd8fc4cbb207698ba7608e8502a9ab72437e73598ed88c1ff6524379eb060f589770ac90dcdcf2dcfdcc5993152b5a976e196090de411e34d

Download Submit
memory/360-55-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/360-54-0x0000000000D50000-0x0000000000EE2000-memory.dmp

Filesize
1.6MB

Download
memory/1136-56-0x0000000000000000-mapping.dmp

Download
memory/1216-57-0x0000000000000000-mapping.dmp

Download
memory/1244-58-0x0000000000000000-mapping.dmp

Download
memory/1944-75-0x00000000011A0000-0x0000000001332000-memory.dmp

Filesize
1.6MB

Download
memory/1944-73-0x0000000000000000-mapping.dmp

Download
memory/2016-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2016-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2016-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2016-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2016-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2016-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2016-64-0x00000000007E2730-mapping.dmp

Download
memory/2016-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2016-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2016-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2016-76-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads