bitrat | 515dc9adafe29870ba7052d258ab73abbbaf728015ce92a7eb097033672e05d5

General

Target

cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe
Size

300.0MB
MD5

9edb373bba31ed74e5635c8ba1ccbc24
SHA1

7826110d94ad641b3cbed3eaa1c4e1ab5e329e26
SHA256

cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235
SHA512

90c56b8545767b8b3b3292ebc71d4683b6ff0c2e0fc1135159357707bfb462878c8044eced0f6138e7771d3db3c6e8a1b363d7663fd3e5e50f46254f22ee54e4
SSDEEP

24576:KQWUrKeG3ggoqRwkqbQsH50RPoE+G3ttsP2V4MM9obzQLAmLGAs4DyAunLw+6aI9:K2KtBCR3qP+JeO+/m6yDL9aITLUp

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

newbithere.duckdns.org:2005

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

pojhg.exe

pid process

1644 pojhg.exe

pid	process
1644	pojhg.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2364-139-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2364-140-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2364-141-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2364-142-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2364-143-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2364-146-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

RegAsm.exe

pid process

2364 RegAsm.exe
2364 RegAsm.exe
2364 RegAsm.exe
2364 RegAsm.exe

pid	process
2364	RegAsm.exe
2364	RegAsm.exe
2364	RegAsm.exe
2364	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe

description	pid	process	target process
PID 4228 set thread context of 2364	4228	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4616 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeShutdownPrivilege 2364 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

2364 RegAsm.exe
2364 RegAsm.exe

pid	process
4616	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	2364	RegAsm.exe

pid	process
2364	RegAsm.exe
2364	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.execmd.exe

description	pid	process	target process
PID 4228 wrote to memory of 2968	4228	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	cmd.exe
PID 4228 wrote to memory of 2968	4228	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	cmd.exe
PID 4228 wrote to memory of 2968	4228	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	cmd.exe
PID 2968 wrote to memory of 4616	2968	cmd.exe	schtasks.exe
PID 2968 wrote to memory of 4616	2968	cmd.exe	schtasks.exe
PID 2968 wrote to memory of 4616	2968	cmd.exe	schtasks.exe
PID 4228 wrote to memory of 4036	4228	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	cmd.exe
PID 4228 wrote to memory of 4036	4228	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	cmd.exe
PID 4228 wrote to memory of 4036	4228	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	cmd.exe
PID 4228 wrote to memory of 2364	4228	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 4228 wrote to memory of 2364	4228	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 4228 wrote to memory of 2364	4228	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 4228 wrote to memory of 2364	4228	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 4228 wrote to memory of 2364	4228	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 4228 wrote to memory of 2364	4228	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe
PID 4228 wrote to memory of 2364	4228	cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe
"C:\Users\Admin\AppData\Local\Temp\cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\pojhg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\pojhg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4616

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235.exe" "C:\Users\Admin\AppData\Roaming\pojhg.exe"
2⤵
PID:4036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Users\Admin\AppData\Roaming\pojhg.exe
C:\Users\Admin\AppData\Roaming\pojhg.exe
1⤵
- Executes dropped EXE
PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\pojhg.exe

Filesize
157.6MB

MD5
1c4d8f935f706917f3717f8ed0db64f9

SHA1
875d8eeb7a7968c0f11546d2b5cdcba12af809c5

SHA256
743a3965a52125fde2ffcf068ffcda65a2f0d84c7f4c8b28645fd223ab6a2b92

SHA512
8d160dc30f17b722c5f36d987b4d73640506b33cc4df5c0de889e9c31f5a0048ab53ba5246bc1ff79019807186637b407cc7a1b4c0e4c5221a7df054933353b3

Download Submit
C:\Users\Admin\AppData\Roaming\pojhg.exe

Filesize
155.2MB

MD5
04c691c7271923254446c7ae57b40784

SHA1
7a299a3d5805528b54c71706cdeeb04e32c91b50

SHA256
716a6f4755ef708d0577100bd88ae700d8c7d1f6d58d1d7bf951d71d0e49f576

SHA512
00db16961a8351966353b68b5e49fb188861bb90dd8a0649e17fd8fd2cb2539eab096f692c89a20f9b93ece7cfadc18fc972825775cb3bdfa56f35ce69ff6b98

Download Submit
memory/2364-147-0x0000000074E50000-0x0000000074E89000-memory.dmp

Filesize
228KB

Download
memory/2364-143-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2364-151-0x0000000074BA0000-0x0000000074BD9000-memory.dmp

Filesize
228KB

Download
memory/2364-150-0x0000000074BA0000-0x0000000074BD9000-memory.dmp

Filesize
228KB

Download
memory/2364-138-0x0000000000000000-mapping.dmp

Download
memory/2364-139-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2364-140-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2364-141-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2364-142-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2364-146-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2364-144-0x00000000752A0000-0x00000000752D9000-memory.dmp

Filesize
228KB

Download
memory/2364-145-0x0000000074E50000-0x0000000074E89000-memory.dmp

Filesize
228KB

Download
memory/2968-134-0x0000000000000000-mapping.dmp

Download
memory/4036-137-0x0000000000000000-mapping.dmp

Download
memory/4228-132-0x00000000000E0000-0x0000000000272000-memory.dmp

Filesize
1.6MB

Download
memory/4228-133-0x0000000004C50000-0x0000000004CB6000-memory.dmp

Filesize
408KB

Download
memory/4228-136-0x0000000005470000-0x0000000005A14000-memory.dmp

Filesize
5.6MB

Download
memory/4616-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads