bitrat | bf6a3ac0316f35f0e8663019709028b9d352c1bf10f8bed23807b40309f5ba60

General

Target

BILLPAYM.exe
Size

300.0MB
MD5

41d8a777ddc40a009a046f88900c0b80
SHA1

25dfd72ffe79eb5884d27fead86f4886bed638de
SHA256

e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347
SHA512

e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514
SSDEEP

24576:R+GQ7D8nXiNeGFPQKpFCjI/teJb2Q/eF2YlIECXRPbSVKcS2nOI3lqaNJJxEJYsO:R+GaeGtpFC8/mb9ejKulkPaNJo

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

newbithere.duckdns.org:2005

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

Windows.exeWindows.exe

pid process

652 Windows.exe
1092 Windows.exe

pid	process
652	Windows.exe
1092	Windows.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1748-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1748-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1748-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1748-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1748-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1748-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1748-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1748-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1748-74-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1644-97-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1644-98-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1064-112-0x00000000004D0000-0x00000000008B4000-memory.dmp	upx
behavioral1/memory/1064-113-0x00000000004D0000-0x00000000008B4000-memory.dmp	upx
behavioral1/memory/1064-116-0x00000000004D0000-0x00000000008B4000-memory.dmp	upx
behavioral1/memory/1064-118-0x00000000004D0000-0x00000000008B4000-memory.dmp	upx
behavioral1/memory/1064-119-0x00000000004D0000-0x00000000008B4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exe

pid process

1748 RegAsm.exe
1748 RegAsm.exe
1748 RegAsm.exe
1748 RegAsm.exe
1748 RegAsm.exe
1644 RegAsm.exe
1064 RegAsm.exe

pid	process
1748	RegAsm.exe
1748	RegAsm.exe
1748	RegAsm.exe
1748	RegAsm.exe
1748	RegAsm.exe
1644	RegAsm.exe
1064	RegAsm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

BILLPAYM.exeWindows.exeWindows.exe

description	pid	process	target process
PID 1788 set thread context of 1748	1788	BILLPAYM.exe	RegAsm.exe
PID 652 set thread context of 1644	652	Windows.exe	RegAsm.exe
PID 1092 set thread context of 1064	1092	Windows.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1532 schtasks.exe
276 schtasks.exe
1788 schtasks.exe

pid	process
1532	schtasks.exe
276	schtasks.exe
1788	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1748	RegAsm.exe
Token: SeShutdownPrivilege	1748	RegAsm.exe
Token: SeDebugPrivilege	1644	RegAsm.exe
Token: SeShutdownPrivilege	1644	RegAsm.exe
Token: SeDebugPrivilege	1064	RegAsm.exe
Token: SeShutdownPrivilege	1064	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

1748 RegAsm.exe
1748 RegAsm.exe

pid	process
1748	RegAsm.exe
1748	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BILLPAYM.execmd.exetaskeng.exeWindows.execmd.exeWindows.execmd.exe

description	pid	process	target process
PID 1788 wrote to memory of 1628	1788	BILLPAYM.exe	cmd.exe
PID 1788 wrote to memory of 1628	1788	BILLPAYM.exe	cmd.exe
PID 1788 wrote to memory of 1628	1788	BILLPAYM.exe	cmd.exe
PID 1788 wrote to memory of 1628	1788	BILLPAYM.exe	cmd.exe
PID 1788 wrote to memory of 948	1788	BILLPAYM.exe	cmd.exe
PID 1788 wrote to memory of 948	1788	BILLPAYM.exe	cmd.exe
PID 1788 wrote to memory of 948	1788	BILLPAYM.exe	cmd.exe
PID 1788 wrote to memory of 948	1788	BILLPAYM.exe	cmd.exe
PID 1628 wrote to memory of 1532	1628	cmd.exe	schtasks.exe
PID 1628 wrote to memory of 1532	1628	cmd.exe	schtasks.exe
PID 1628 wrote to memory of 1532	1628	cmd.exe	schtasks.exe
PID 1628 wrote to memory of 1532	1628	cmd.exe	schtasks.exe
PID 1788 wrote to memory of 1748	1788	BILLPAYM.exe	RegAsm.exe
PID 1788 wrote to memory of 1748	1788	BILLPAYM.exe	RegAsm.exe
PID 1788 wrote to memory of 1748	1788	BILLPAYM.exe	RegAsm.exe
PID 1788 wrote to memory of 1748	1788	BILLPAYM.exe	RegAsm.exe
PID 1788 wrote to memory of 1748	1788	BILLPAYM.exe	RegAsm.exe
PID 1788 wrote to memory of 1748	1788	BILLPAYM.exe	RegAsm.exe
PID 1788 wrote to memory of 1748	1788	BILLPAYM.exe	RegAsm.exe
PID 1788 wrote to memory of 1748	1788	BILLPAYM.exe	RegAsm.exe
PID 1788 wrote to memory of 1748	1788	BILLPAYM.exe	RegAsm.exe
PID 1788 wrote to memory of 1748	1788	BILLPAYM.exe	RegAsm.exe
PID 1788 wrote to memory of 1748	1788	BILLPAYM.exe	RegAsm.exe
PID 808 wrote to memory of 652	808	taskeng.exe	Windows.exe
PID 808 wrote to memory of 652	808	taskeng.exe	Windows.exe
PID 808 wrote to memory of 652	808	taskeng.exe	Windows.exe
PID 808 wrote to memory of 652	808	taskeng.exe	Windows.exe
PID 652 wrote to memory of 1400	652	Windows.exe	cmd.exe
PID 652 wrote to memory of 1400	652	Windows.exe	cmd.exe
PID 652 wrote to memory of 1400	652	Windows.exe	cmd.exe
PID 652 wrote to memory of 1400	652	Windows.exe	cmd.exe
PID 652 wrote to memory of 1188	652	Windows.exe	cmd.exe
PID 652 wrote to memory of 1188	652	Windows.exe	cmd.exe
PID 652 wrote to memory of 1188	652	Windows.exe	cmd.exe
PID 652 wrote to memory of 1188	652	Windows.exe	cmd.exe
PID 1400 wrote to memory of 276	1400	cmd.exe	schtasks.exe
PID 1400 wrote to memory of 276	1400	cmd.exe	schtasks.exe
PID 1400 wrote to memory of 276	1400	cmd.exe	schtasks.exe
PID 1400 wrote to memory of 276	1400	cmd.exe	schtasks.exe
PID 652 wrote to memory of 1644	652	Windows.exe	RegAsm.exe
PID 652 wrote to memory of 1644	652	Windows.exe	RegAsm.exe
PID 652 wrote to memory of 1644	652	Windows.exe	RegAsm.exe
PID 652 wrote to memory of 1644	652	Windows.exe	RegAsm.exe
PID 652 wrote to memory of 1644	652	Windows.exe	RegAsm.exe
PID 652 wrote to memory of 1644	652	Windows.exe	RegAsm.exe
PID 652 wrote to memory of 1644	652	Windows.exe	RegAsm.exe
PID 652 wrote to memory of 1644	652	Windows.exe	RegAsm.exe
PID 652 wrote to memory of 1644	652	Windows.exe	RegAsm.exe
PID 652 wrote to memory of 1644	652	Windows.exe	RegAsm.exe
PID 652 wrote to memory of 1644	652	Windows.exe	RegAsm.exe
PID 808 wrote to memory of 1092	808	taskeng.exe	Windows.exe
PID 808 wrote to memory of 1092	808	taskeng.exe	Windows.exe
PID 808 wrote to memory of 1092	808	taskeng.exe	Windows.exe
PID 808 wrote to memory of 1092	808	taskeng.exe	Windows.exe
PID 1092 wrote to memory of 1556	1092	Windows.exe	cmd.exe
PID 1092 wrote to memory of 1556	1092	Windows.exe	cmd.exe
PID 1092 wrote to memory of 1556	1092	Windows.exe	cmd.exe
PID 1092 wrote to memory of 1556	1092	Windows.exe	cmd.exe
PID 1092 wrote to memory of 1452	1092	Windows.exe	cmd.exe
PID 1092 wrote to memory of 1452	1092	Windows.exe	cmd.exe
PID 1092 wrote to memory of 1452	1092	Windows.exe	cmd.exe
PID 1092 wrote to memory of 1452	1092	Windows.exe	cmd.exe
PID 1556 wrote to memory of 1788	1556	cmd.exe	schtasks.exe
PID 1556 wrote to memory of 1788	1556	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\BILLPAYM.exe
"C:\Users\Admin\AppData\Local\Temp\BILLPAYM.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1532

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\BILLPAYM.exe" "C:\Users\Admin\AppData\Roaming\Windows.exe"
2⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\system32\taskeng.exe
taskeng.exe {C336E429-4AB5-4BC0-B915-D97DAE9FA75A} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
4⤵
- Creates scheduled task(s)
PID:276

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows.exe" "C:\Users\Admin\AppData\Roaming\Windows.exe"
3⤵
PID:1188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1788

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows.exe" "C:\Users\Admin\AppData\Roaming\Windows.exe"
3⤵
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
300.0MB

MD5
41d8a777ddc40a009a046f88900c0b80

SHA1
25dfd72ffe79eb5884d27fead86f4886bed638de

SHA256
e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347

SHA512
e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
300.0MB

MD5
41d8a777ddc40a009a046f88900c0b80

SHA1
25dfd72ffe79eb5884d27fead86f4886bed638de

SHA256
e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347

SHA512
e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
300.0MB

MD5
41d8a777ddc40a009a046f88900c0b80

SHA1
25dfd72ffe79eb5884d27fead86f4886bed638de

SHA256
e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347

SHA512
e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514

Download Submit
memory/276-84-0x0000000000000000-mapping.dmp

Download
memory/652-78-0x0000000000000000-mapping.dmp

Download
memory/652-80-0x0000000000170000-0x0000000000346000-memory.dmp

Filesize
1.8MB

Download
memory/948-57-0x0000000000000000-mapping.dmp

Download
memory/1064-111-0x00000000007E2730-mapping.dmp

Download
memory/1064-107-0x0000000000742000-0x00000000008B3000-memory.dmp

Filesize
1.4MB

Download
memory/1064-112-0x00000000004D0000-0x00000000008B4000-memory.dmp

Filesize
3.9MB

Download
memory/1064-113-0x00000000004D0000-0x00000000008B4000-memory.dmp

Filesize
3.9MB

Download
memory/1064-116-0x00000000004D0000-0x00000000008B4000-memory.dmp

Filesize
3.9MB

Download
memory/1064-118-0x00000000004D0000-0x00000000008B4000-memory.dmp

Filesize
3.9MB

Download
memory/1064-119-0x00000000004D0000-0x00000000008B4000-memory.dmp

Filesize
3.9MB

Download
memory/1092-99-0x0000000000000000-mapping.dmp

Download
memory/1092-101-0x0000000001120000-0x00000000012F6000-memory.dmp

Filesize
1.8MB

Download
memory/1188-83-0x0000000000000000-mapping.dmp

Download
memory/1400-82-0x0000000000000000-mapping.dmp

Download
memory/1452-104-0x0000000000000000-mapping.dmp

Download
memory/1532-58-0x0000000000000000-mapping.dmp

Download
memory/1556-103-0x0000000000000000-mapping.dmp

Download
memory/1628-56-0x0000000000000000-mapping.dmp

Download
memory/1644-98-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1644-97-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1644-90-0x00000000007E2730-mapping.dmp

Download
memory/1748-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1748-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1748-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1748-72-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/1748-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1748-73-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/1748-64-0x00000000007E2730-mapping.dmp

Download
memory/1748-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1748-76-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/1748-75-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download
memory/1748-74-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1748-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1748-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1748-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1748-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1788-105-0x0000000000000000-mapping.dmp

Download
memory/1788-54-0x00000000010F0000-0x00000000012C6000-memory.dmp

Filesize
1.8MB

Download
memory/1788-55-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads