bitrat | 9d5e19acb918040dcf79ccff74833262fb19f5460f51587d265210374f6f1884

General

Target

NAMUJS_ETRANSFER_RECEIPT.exe
Size

300.0MB
MD5

aa16895db009a8b646bb9c51f9b51c58
SHA1

014b372bc0620fb1173679abb7c189d0464ce208
SHA256

72656944adc7c9dabbc263d8a1c7f79ff6d0b6a3b06a11f88b741977c5e4f751
SHA512

4411e718c124059044ab7fbe54f3fefa76c9d5cd2263c4214c70a498d681f87f2804aef0e8c94b630fadf9470d5e804702349ab21fafa512a368d90424d8e29b
SSDEEP

24576:GzEo/IReVjVaXcqqza/KkJVWpcpr8lCGyi2FBGbZLipIjJ7Fb5DIoN3EtO:GziCYXKzyKkJM8r8lXyEGpIjJ73jtEt

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

olkij.exe

pid process

1796 olkij.exe

pid	process
1796	olkij.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3632-138-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3632-140-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3632-139-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3632-141-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3632-142-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3632-146-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

RegAsm.exe

pid process

3632 RegAsm.exe
3632 RegAsm.exe
3632 RegAsm.exe
3632 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

NAMUJS_ETRANSFER_RECEIPT.exe

description pid process target process

PID 3060 set thread context of 3632 3060 NAMUJS_ETRANSFER_RECEIPT.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2160 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeShutdownPrivilege 3632 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

3632 RegAsm.exe
3632 RegAsm.exe

pid	process
3632	RegAsm.exe
3632	RegAsm.exe
3632	RegAsm.exe
3632	RegAsm.exe

description	pid	process	target process
PID 3060 set thread context of 3632	3060	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe

pid	process
2160	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	3632	RegAsm.exe

pid	process
3632	RegAsm.exe
3632	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

NAMUJS_ETRANSFER_RECEIPT.execmd.exe

description	pid	process	target process
PID 3060 wrote to memory of 100	3060	NAMUJS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 3060 wrote to memory of 100	3060	NAMUJS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 3060 wrote to memory of 100	3060	NAMUJS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 3060 wrote to memory of 4360	3060	NAMUJS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 3060 wrote to memory of 4360	3060	NAMUJS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 3060 wrote to memory of 4360	3060	NAMUJS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 100 wrote to memory of 2160	100	cmd.exe	schtasks.exe
PID 100 wrote to memory of 2160	100	cmd.exe	schtasks.exe
PID 100 wrote to memory of 2160	100	cmd.exe	schtasks.exe
PID 3060 wrote to memory of 3632	3060	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 3060 wrote to memory of 3632	3060	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 3060 wrote to memory of 3632	3060	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 3060 wrote to memory of 3632	3060	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 3060 wrote to memory of 3632	3060	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 3060 wrote to memory of 3632	3060	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 3060 wrote to memory of 3632	3060	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\NAMUJS_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\NAMUJS_ETRANSFER_RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Local\Temp\olkij.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Local\Temp\olkij.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2160

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\NAMUJS_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Local\Temp\olkij.exe"
2⤵
PID:4360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Users\Admin\AppData\Local\Temp\olkij.exe
C:\Users\Admin\AppData\Local\Temp\olkij.exe
1⤵
- Executes dropped EXE
PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\olkij.exe

Filesize
181.5MB

MD5
a09a01b8cd91bd6d10f14fb159fcbcd7

SHA1
4e4934a29acece461f9b3d0db46c3b54482cb4ab

SHA256
5ccc5cc643e5f43bb66ee7e6f1381ce264a18795de3f1a865b93c7d49054feac

SHA512
24f453d2e0b5c001e4d8cb02f484958d26335b83a6bb7d17e2fe4397743463d4c253db91907bb6aa9a1bffb04445c5acb189e3f8781ae360310c912713f267cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\olkij.exe

Filesize
183.2MB

MD5
111358be8f76c390e14ba0c6dcd47eb5

SHA1
96a0709eecce93c41ca8cb9748940b6d39a3499e

SHA256
ae9bf7aa2f837bc18db280c65954667e647c8d84c8b68594cbf732c0d8283b0e

SHA512
a880ad6c2854e0f0fbed2c6bd6d8f4516e7871a66fcd4ab4b2bd07f60d3751ef69e3a72125d2b9b3275ecc05b1cdf4d866980e865048ea11f1c543f905b39ecd

Download Submit
memory/100-134-0x0000000000000000-mapping.dmp

Download
memory/2160-136-0x0000000000000000-mapping.dmp

Download
memory/3060-132-0x00000000003D0000-0x000000000055A000-memory.dmp

Filesize
1.5MB

Download
memory/3060-133-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/3632-139-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3632-140-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3632-138-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3632-141-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3632-142-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3632-143-0x0000000075130000-0x0000000075169000-memory.dmp

Filesize
228KB

Download
memory/3632-144-0x00000000754D0000-0x0000000075509000-memory.dmp

Filesize
228KB

Download
memory/3632-145-0x00000000754D0000-0x0000000075509000-memory.dmp

Filesize
228KB

Download
memory/3632-146-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3632-147-0x00000000754D0000-0x0000000075509000-memory.dmp

Filesize
228KB

Download
memory/3632-137-0x0000000000000000-mapping.dmp

Download
memory/3632-150-0x0000000075210000-0x0000000075249000-memory.dmp

Filesize
228KB

Download
memory/4360-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads