bitrat | 954040312a1428eb46018d927bd9f453c6df97e3f1509cf23d89a10662ef3d2e

General

Target

xcfgsfaa.exe
Size

1.5MB
MD5

45fd8c84b44a20b4188de744bdf0a3f8
SHA1

37a13e9a7d5af87b82e55630fe78a8e12059dad5
SHA256

59f62f44fbd11163cb3eeb68f2b4606130dd8a01f569624ee4e4c50691c94391
SHA512

70e3fb0696ad94a98bef78b3fb5d8267596032eb5345b160a0820977e5a8988a382da01ff1b4eb140ac9e319f2dcf0ca7978bbb61b78880c9de5741a49fcddcf
SSDEEP

24576:Q4z87j9s0ML+6lvQ0QGTr8ZtkYa5yVke+MomAstHC7w3H79RBWKP:QvfWbLd7Y75+MomAstHC7wr5W

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

185.174.40.147:5200

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

rfmfm.exe

pid process

1480 rfmfm.exe

pid	process
1480	rfmfm.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/556-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/556-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/556-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/556-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/556-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/556-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/556-68-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/556-72-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

vbc.exe

pid process

556 vbc.exe
556 vbc.exe
556 vbc.exe
556 vbc.exe
556 vbc.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

xcfgsfaa.exerfmfm.exe

description pid process target process

PID 1064 set thread context of 556 1064 xcfgsfaa.exe vbc.exe
PID 1480 set thread context of 1564 1480 rfmfm.exe vbc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

268 schtasks.exe
1264 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 556 vbc.exe
Token: SeShutdownPrivilege 556 vbc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exe

pid process

556 vbc.exe
556 vbc.exe

pid	process
556	vbc.exe
556	vbc.exe
556	vbc.exe
556	vbc.exe
556	vbc.exe

description	pid	process	target process
PID 1064 set thread context of 556	1064	xcfgsfaa.exe	vbc.exe
PID 1480 set thread context of 1564	1480	rfmfm.exe	vbc.exe

pid	process
268	schtasks.exe
1264	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	556	vbc.exe
Token: SeShutdownPrivilege	556	vbc.exe

pid	process
556	vbc.exe
556	vbc.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

xcfgsfaa.execmd.exetaskeng.exerfmfm.execmd.exe

description	pid	process	target process
PID 1064 wrote to memory of 1640	1064	xcfgsfaa.exe	cmd.exe
PID 1064 wrote to memory of 1640	1064	xcfgsfaa.exe	cmd.exe
PID 1064 wrote to memory of 1640	1064	xcfgsfaa.exe	cmd.exe
PID 1064 wrote to memory of 1640	1064	xcfgsfaa.exe	cmd.exe
PID 1064 wrote to memory of 1636	1064	xcfgsfaa.exe	cmd.exe
PID 1064 wrote to memory of 1636	1064	xcfgsfaa.exe	cmd.exe
PID 1064 wrote to memory of 1636	1064	xcfgsfaa.exe	cmd.exe
PID 1064 wrote to memory of 1636	1064	xcfgsfaa.exe	cmd.exe
PID 1640 wrote to memory of 268	1640	cmd.exe	schtasks.exe
PID 1640 wrote to memory of 268	1640	cmd.exe	schtasks.exe
PID 1640 wrote to memory of 268	1640	cmd.exe	schtasks.exe
PID 1640 wrote to memory of 268	1640	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 556	1064	xcfgsfaa.exe	vbc.exe
PID 1064 wrote to memory of 556	1064	xcfgsfaa.exe	vbc.exe
PID 1064 wrote to memory of 556	1064	xcfgsfaa.exe	vbc.exe
PID 1064 wrote to memory of 556	1064	xcfgsfaa.exe	vbc.exe
PID 1064 wrote to memory of 556	1064	xcfgsfaa.exe	vbc.exe
PID 1064 wrote to memory of 556	1064	xcfgsfaa.exe	vbc.exe
PID 1064 wrote to memory of 556	1064	xcfgsfaa.exe	vbc.exe
PID 1064 wrote to memory of 556	1064	xcfgsfaa.exe	vbc.exe
PID 2008 wrote to memory of 1480	2008	taskeng.exe	rfmfm.exe
PID 2008 wrote to memory of 1480	2008	taskeng.exe	rfmfm.exe
PID 2008 wrote to memory of 1480	2008	taskeng.exe	rfmfm.exe
PID 2008 wrote to memory of 1480	2008	taskeng.exe	rfmfm.exe
PID 1480 wrote to memory of 2028	1480	rfmfm.exe	cmd.exe
PID 1480 wrote to memory of 2028	1480	rfmfm.exe	cmd.exe
PID 1480 wrote to memory of 2028	1480	rfmfm.exe	cmd.exe
PID 1480 wrote to memory of 2028	1480	rfmfm.exe	cmd.exe
PID 1480 wrote to memory of 1280	1480	rfmfm.exe	cmd.exe
PID 1480 wrote to memory of 1280	1480	rfmfm.exe	cmd.exe
PID 1480 wrote to memory of 1280	1480	rfmfm.exe	cmd.exe
PID 1480 wrote to memory of 1280	1480	rfmfm.exe	cmd.exe
PID 2028 wrote to memory of 1264	2028	cmd.exe	schtasks.exe
PID 2028 wrote to memory of 1264	2028	cmd.exe	schtasks.exe
PID 2028 wrote to memory of 1264	2028	cmd.exe	schtasks.exe
PID 2028 wrote to memory of 1264	2028	cmd.exe	schtasks.exe
PID 1480 wrote to memory of 1564	1480	rfmfm.exe	vbc.exe
PID 1480 wrote to memory of 1564	1480	rfmfm.exe	vbc.exe
PID 1480 wrote to memory of 1564	1480	rfmfm.exe	vbc.exe
PID 1480 wrote to memory of 1564	1480	rfmfm.exe	vbc.exe
PID 1480 wrote to memory of 1564	1480	rfmfm.exe	vbc.exe
PID 1480 wrote to memory of 1564	1480	rfmfm.exe	vbc.exe
PID 1480 wrote to memory of 1564	1480	rfmfm.exe	vbc.exe
PID 1480 wrote to memory of 1564	1480	rfmfm.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\xcfgsfaa.exe
"C:\Users\Admin\AppData\Local\Temp\xcfgsfaa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\rfmfm.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\rfmfm.exe'" /f
3⤵
- Creates scheduled task(s)
PID:268

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\xcfgsfaa.exe" "C:\Users\Admin\AppData\Roaming\rfmfm.exe"
2⤵
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:556

C:\Windows\system32\taskeng.exe
taskeng.exe {06BD4C29-73DB-4B59-A108-08F6F3EAA9D6} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Roaming\rfmfm.exe
C:\Users\Admin\AppData\Roaming\rfmfm.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\rfmfm.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\rfmfm.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1264

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\rfmfm.exe" "C:\Users\Admin\AppData\Roaming\rfmfm.exe"
3⤵
PID:1280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rfmfm.exe
Filesize
1.5MB

MD5
45fd8c84b44a20b4188de744bdf0a3f8

SHA1
37a13e9a7d5af87b82e55630fe78a8e12059dad5

SHA256
59f62f44fbd11163cb3eeb68f2b4606130dd8a01f569624ee4e4c50691c94391

SHA512
70e3fb0696ad94a98bef78b3fb5d8267596032eb5345b160a0820977e5a8988a382da01ff1b4eb140ac9e319f2dcf0ca7978bbb61b78880c9de5741a49fcddcf

Download Submit
C:\Users\Admin\AppData\Roaming\rfmfm.exe
Filesize
1.5MB

MD5
45fd8c84b44a20b4188de744bdf0a3f8

SHA1
37a13e9a7d5af87b82e55630fe78a8e12059dad5

SHA256
59f62f44fbd11163cb3eeb68f2b4606130dd8a01f569624ee4e4c50691c94391

SHA512
70e3fb0696ad94a98bef78b3fb5d8267596032eb5345b160a0820977e5a8988a382da01ff1b4eb140ac9e319f2dcf0ca7978bbb61b78880c9de5741a49fcddcf

Download Submit
memory/268-58-0x0000000000000000-mapping.dmp

Download
memory/556-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/556-70-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/556-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/556-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/556-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/556-64-0x00000000007E2730-mapping.dmp

Download
memory/556-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/556-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/556-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/556-74-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/556-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/556-73-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/556-71-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/556-72-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1064-54-0x00000000001D0000-0x000000000035A000-memory.dmp

Filesize
1.5MB

Download
memory/1064-55-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1264-82-0x0000000000000000-mapping.dmp

Download
memory/1280-81-0x0000000000000000-mapping.dmp

Download
memory/1480-76-0x0000000000000000-mapping.dmp

Download
memory/1480-78-0x0000000000200000-0x000000000038A000-memory.dmp

Filesize
1.5MB

Download
memory/1564-88-0x00000000007E2730-mapping.dmp

Download
memory/1636-57-0x0000000000000000-mapping.dmp

Download
memory/1640-56-0x0000000000000000-mapping.dmp

Download
memory/2028-80-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads