bitrat | 12d9848e317dcbf7dfb95649d7198fd93475f8b4cd093a252f28caeed8093001

General

Target

iCloud_5778420644664315372.exe
Size

6.0MB
MD5

37580d09f99717268666e091c21d344a
SHA1

0b7df2ebdf61753c183c818db71b4b1f6fd57841
SHA256

12d9848e317dcbf7dfb95649d7198fd93475f8b4cd093a252f28caeed8093001
SHA512

f2a1295003d64be1c768afbc6bd0f93ba53a39a883759952246371d9552777432193c35a702697061febb192cb365843480cc52c3dc44d90312a4e8be7e66749
SSDEEP

98304:JyQZRhelFuTw99bP/nCURx/PKnBWrmVjefsn+1:sQ7w99GURx/PKwQe

Score

10^/10

bitrat agilenet persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.35

C2

snkno.duckdns.org:43413

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

iCloud.exeAddInProcess32.exe

pid process

1996 iCloud.exe
1368 AddInProcess32.exe
Loads dropped DLL 3 IoCs

Processes:

iCloud_5778420644664315372.exeiCloud.exe

pid process

1060 iCloud_5778420644664315372.exe
1060 iCloud_5778420644664315372.exe
1996 iCloud.exe

pid	process
1996	iCloud.exe
1368	AddInProcess32.exe

pid	process
1060	iCloud_5778420644664315372.exe
1060	iCloud_5778420644664315372.exe
1996	iCloud.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1060-56-0x00000000004C0000-0x00000000004E8000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\apple = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\iCloud.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

AddInProcess32.exe

pid process

1368 AddInProcess32.exe
1368 AddInProcess32.exe
1368 AddInProcess32.exe
1368 AddInProcess32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

iCloud.exe

description pid process target process

PID 1996 set thread context of 1368 1996 iCloud.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1368	AddInProcess32.exe
1368	AddInProcess32.exe
1368	AddInProcess32.exe
1368	AddInProcess32.exe

description	pid	process	target process
PID 1996 set thread context of 1368	1996	iCloud.exe	AddInProcess32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

iCloud_5778420644664315372.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	iCloud_5778420644664315372.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	iCloud_5778420644664315372.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

iCloud_5778420644664315372.exeiCloud.exe

pid process

1060 iCloud_5778420644664315372.exe
1060 iCloud_5778420644664315372.exe
1060 iCloud_5778420644664315372.exe
1996 iCloud.exe
1996 iCloud.exe

pid	process
1060	iCloud_5778420644664315372.exe
1060	iCloud_5778420644664315372.exe
1060	iCloud_5778420644664315372.exe
1996	iCloud.exe
1996	iCloud.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

iCloud_5778420644664315372.exeiCloud.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1060	iCloud_5778420644664315372.exe
Token: SeDebugPrivilege	1996	iCloud.exe
Token: SeDebugPrivilege	1368	AddInProcess32.exe
Token: SeShutdownPrivilege	1368	AddInProcess32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AddInProcess32.exe

pid process

1368 AddInProcess32.exe
1368 AddInProcess32.exe

pid	process
1368	AddInProcess32.exe
1368	AddInProcess32.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

iCloud_5778420644664315372.execmd.exeiCloud.exe

description	pid	process	target process
PID 1060 wrote to memory of 1992	1060	iCloud_5778420644664315372.exe	cmd.exe
PID 1060 wrote to memory of 1992	1060	iCloud_5778420644664315372.exe	cmd.exe
PID 1060 wrote to memory of 1992	1060	iCloud_5778420644664315372.exe	cmd.exe
PID 1060 wrote to memory of 1992	1060	iCloud_5778420644664315372.exe	cmd.exe
PID 1992 wrote to memory of 1872	1992	cmd.exe	reg.exe
PID 1992 wrote to memory of 1872	1992	cmd.exe	reg.exe
PID 1992 wrote to memory of 1872	1992	cmd.exe	reg.exe
PID 1992 wrote to memory of 1872	1992	cmd.exe	reg.exe
PID 1060 wrote to memory of 1996	1060	iCloud_5778420644664315372.exe	iCloud.exe
PID 1060 wrote to memory of 1996	1060	iCloud_5778420644664315372.exe	iCloud.exe
PID 1060 wrote to memory of 1996	1060	iCloud_5778420644664315372.exe	iCloud.exe
PID 1060 wrote to memory of 1996	1060	iCloud_5778420644664315372.exe	iCloud.exe
PID 1996 wrote to memory of 1368	1996	iCloud.exe	AddInProcess32.exe
PID 1996 wrote to memory of 1368	1996	iCloud.exe	AddInProcess32.exe
PID 1996 wrote to memory of 1368	1996	iCloud.exe	AddInProcess32.exe
PID 1996 wrote to memory of 1368	1996	iCloud.exe	AddInProcess32.exe
PID 1996 wrote to memory of 1368	1996	iCloud.exe	AddInProcess32.exe
PID 1996 wrote to memory of 1368	1996	iCloud.exe	AddInProcess32.exe
PID 1996 wrote to memory of 1368	1996	iCloud.exe	AddInProcess32.exe
PID 1996 wrote to memory of 1368	1996	iCloud.exe	AddInProcess32.exe
PID 1996 wrote to memory of 1368	1996	iCloud.exe	AddInProcess32.exe
PID 1996 wrote to memory of 1368	1996	iCloud.exe	AddInProcess32.exe
PID 1996 wrote to memory of 1368	1996	iCloud.exe	AddInProcess32.exe
PID 1996 wrote to memory of 1368	1996	iCloud.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\iCloud_5778420644664315372.exe
"C:\Users\Admin\AppData\Local\Temp\iCloud_5778420644664315372.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "apple" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\iCloud.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "apple" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\iCloud.exe"
3⤵
- Adds Run key to start application
PID:1872

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\iCloud.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\iCloud.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\iCloud.exe
Filesize
6.0MB

MD5
37580d09f99717268666e091c21d344a

SHA1
0b7df2ebdf61753c183c818db71b4b1f6fd57841

SHA256
12d9848e317dcbf7dfb95649d7198fd93475f8b4cd093a252f28caeed8093001

SHA512
f2a1295003d64be1c768afbc6bd0f93ba53a39a883759952246371d9552777432193c35a702697061febb192cb365843480cc52c3dc44d90312a4e8be7e66749

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\iCloud.exe
Filesize
6.0MB

MD5
37580d09f99717268666e091c21d344a

SHA1
0b7df2ebdf61753c183c818db71b4b1f6fd57841

SHA256
12d9848e317dcbf7dfb95649d7198fd93475f8b4cd093a252f28caeed8093001

SHA512
f2a1295003d64be1c768afbc6bd0f93ba53a39a883759952246371d9552777432193c35a702697061febb192cb365843480cc52c3dc44d90312a4e8be7e66749

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\iCloud.exe
Filesize
6.0MB

MD5
37580d09f99717268666e091c21d344a

SHA1
0b7df2ebdf61753c183c818db71b4b1f6fd57841

SHA256
12d9848e317dcbf7dfb95649d7198fd93475f8b4cd093a252f28caeed8093001

SHA512
f2a1295003d64be1c768afbc6bd0f93ba53a39a883759952246371d9552777432193c35a702697061febb192cb365843480cc52c3dc44d90312a4e8be7e66749

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\iCloud.exe
Filesize
6.0MB

MD5
37580d09f99717268666e091c21d344a

SHA1
0b7df2ebdf61753c183c818db71b4b1f6fd57841

SHA256
12d9848e317dcbf7dfb95649d7198fd93475f8b4cd093a252f28caeed8093001

SHA512
f2a1295003d64be1c768afbc6bd0f93ba53a39a883759952246371d9552777432193c35a702697061febb192cb365843480cc52c3dc44d90312a4e8be7e66749

Download Submit
memory/1060-55-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1060-56-0x00000000004C0000-0x00000000004E8000-memory.dmp

Filesize
160KB

Download
memory/1060-54-0x0000000000FB0000-0x00000000015BC000-memory.dmp

Filesize
6.0MB

Download
memory/1368-80-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1368-77-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1368-89-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1368-88-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1368-86-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1368-70-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1368-71-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1368-73-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1368-75-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1368-82-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1368-79-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1368-83-0x0000000000689FA7-mapping.dmp

Download
memory/1872-58-0x0000000000000000-mapping.dmp

Download
memory/1992-57-0x0000000000000000-mapping.dmp

Download
memory/1996-66-0x0000000000A60000-0x0000000000A74000-memory.dmp

Filesize
80KB

Download
memory/1996-61-0x0000000000000000-mapping.dmp

Download
memory/1996-64-0x00000000003D0000-0x00000000009DC000-memory.dmp

Filesize
6.0MB

Download
memory/1996-67-0x0000000000CD0000-0x0000000000CD6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads