bitrat | 0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4

General

Target

0x00060000000149b7-76.exe
Size

3.8MB
MD5

d208502b720a4c00ae55379a1adff4fe
SHA1

e2c71e9ba414e0070992a9d31e73c9203b48e876
SHA256

0872edd378b3fe1c0f7f5754b8716306291632836040f888bdf1ef87e4d512b4
SHA512

a3295a755d0134246ce726a17b332ab844c4e54a0ac1c30c5ee24d17f20319422bfb1d20a22a8c70cb4b88e3758ae47ca6a1ae40d7d80819b0f3aab922a65363
SSDEEP

98304:t77Pmq33rE/JDLPWZADUGer7B6iY74M/2mlwXVZaFB:J+R/eZADUXR

Score

10^/10

bitrat aspackv2 persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

anubisgod.duckdns.org:1440

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
spottifyy
install_file
spottifyy.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

WgUvKD.exe

pid process

864 WgUvKD.exe
Loads dropped DLL 2 IoCs

Processes:

0x00060000000149b7-76.exe

pid process

1504 0x00060000000149b7-76.exe
1504 0x00060000000149b7-76.exe

pid	process
864	WgUvKD.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0x00060000000149b7-76.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\spottifyy = "C:\\Users\\Admin\\AppData\\Local\\spottifyy\\spottifyy.exe"	0x00060000000149b7-76.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

0x00060000000149b7-76.exe

pid	process
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe

Drops file in Program Files directory 64 IoCs

Processes:

WgUvKD.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{BC26E81A-F128-4782-8D2F-D77BD62CE0C4}\chrome_installer.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	WgUvKD.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	WgUvKD.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	WgUvKD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 26 IoCs

Processes:

0x00060000000149b7-76.exe

pid	process
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe
1504	0x00060000000149b7-76.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0x00060000000149b7-76.exe

description pid process

Token: SeDebugPrivilege 1504 0x00060000000149b7-76.exe
Token: SeShutdownPrivilege 1504 0x00060000000149b7-76.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0x00060000000149b7-76.exe

pid process

1504 0x00060000000149b7-76.exe
1504 0x00060000000149b7-76.exe

description	pid	process
Token: SeDebugPrivilege	1504	0x00060000000149b7-76.exe
Token: SeShutdownPrivilege	1504	0x00060000000149b7-76.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0x00060000000149b7-76.exeWgUvKD.exe

description	pid	process	target process
PID 1504 wrote to memory of 864	1504	0x00060000000149b7-76.exe	WgUvKD.exe
PID 1504 wrote to memory of 864	1504	0x00060000000149b7-76.exe	WgUvKD.exe
PID 1504 wrote to memory of 864	1504	0x00060000000149b7-76.exe	WgUvKD.exe
PID 1504 wrote to memory of 864	1504	0x00060000000149b7-76.exe	WgUvKD.exe
PID 864 wrote to memory of 364	864	WgUvKD.exe	cmd.exe
PID 864 wrote to memory of 364	864	WgUvKD.exe	cmd.exe
PID 864 wrote to memory of 364	864	WgUvKD.exe	cmd.exe
PID 864 wrote to memory of 364	864	WgUvKD.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0x00060000000149b7-76.exe
"C:\Users\Admin\AppData\Local\Temp\0x00060000000149b7-76.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\14e05dcd.bat" "
3⤵
PID:364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\14e05dcd.bat
Filesize
187B

MD5
21e1dda0cae016de4d6e58ace7b84097

SHA1
082fb77a16a82f1a795a0b7e3838803eacc06a34

SHA256
aba08861fd90f254a229907b004c9aa1404ff62935f73baaca3c16014f364d55

SHA512
ea9a1e8dd28c6003da5898e7c46477c1d8f73530a5e217817c741981cfeb89baad8d6c70d31f2d7185d9603d3d4ce3c3d6dcd95b4356c0e705ab26f7a8e7efcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgUvKD.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\WgUvKD.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
\Users\Admin\AppData\Local\Temp\WgUvKD.exe
Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/364-66-0x0000000000000000-mapping.dmp

Download
memory/864-67-0x0000000000E70000-0x0000000000E79000-memory.dmp

Filesize
36KB

Download
memory/864-56-0x0000000000000000-mapping.dmp

Download
memory/864-58-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/864-63-0x0000000000E70000-0x0000000000E79000-memory.dmp

Filesize
36KB

Download
memory/1504-61-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/1504-65-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/1504-64-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/1504-62-0x0000000000E70000-0x0000000000E79000-memory.dmp

Filesize
36KB

Download
memory/1504-69-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads