bitrat | 9d5e19acb918040dcf79ccff74833262fb19f5460f51587d265210374f6f1884

General

Target

NAMUJS_ETRANSFER_RECEIPT.exe
Size

300.0MB
MD5

aa16895db009a8b646bb9c51f9b51c58
SHA1

014b372bc0620fb1173679abb7c189d0464ce208
SHA256

72656944adc7c9dabbc263d8a1c7f79ff6d0b6a3b06a11f88b741977c5e4f751
SHA512

4411e718c124059044ab7fbe54f3fefa76c9d5cd2263c4214c70a498d681f87f2804aef0e8c94b630fadf9470d5e804702349ab21fafa512a368d90424d8e29b
SSDEEP

24576:GzEo/IReVjVaXcqqza/KkJVWpcpr8lCGyi2FBGbZLipIjJ7Fb5DIoN3EtO:GziCYXKzyKkJM8r8lXyEGpIjJ73jtEt

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

olkij.exe

pid process

972 olkij.exe

pid	process
972	olkij.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral5/memory/1444-59-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral5/memory/1444-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral5/memory/1444-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral5/memory/1444-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral5/memory/1444-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral5/memory/1444-68-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral5/memory/1444-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral5/memory/1444-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral5/memory/1444-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

RegAsm.exe

pid process

1444 RegAsm.exe
1444 RegAsm.exe
1444 RegAsm.exe
1444 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

NAMUJS_ETRANSFER_RECEIPT.exe

description pid process target process

PID 1716 set thread context of 1444 1716 NAMUJS_ETRANSFER_RECEIPT.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1664 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1444 RegAsm.exe
Token: SeShutdownPrivilege 1444 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

1444 RegAsm.exe
1444 RegAsm.exe

pid	process
1444	RegAsm.exe
1444	RegAsm.exe
1444	RegAsm.exe
1444	RegAsm.exe

description	pid	process	target process
PID 1716 set thread context of 1444	1716	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe

pid	process
1664	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1444	RegAsm.exe
Token: SeShutdownPrivilege	1444	RegAsm.exe

pid	process
1444	RegAsm.exe
1444	RegAsm.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

NAMUJS_ETRANSFER_RECEIPT.execmd.exetaskeng.exe

description	pid	process	target process
PID 1716 wrote to memory of 1368	1716	NAMUJS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1716 wrote to memory of 1368	1716	NAMUJS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1716 wrote to memory of 1368	1716	NAMUJS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1716 wrote to memory of 1368	1716	NAMUJS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1716 wrote to memory of 1528	1716	NAMUJS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1716 wrote to memory of 1528	1716	NAMUJS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1716 wrote to memory of 1528	1716	NAMUJS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1716 wrote to memory of 1528	1716	NAMUJS_ETRANSFER_RECEIPT.exe	cmd.exe
PID 1368 wrote to memory of 1664	1368	cmd.exe	schtasks.exe
PID 1368 wrote to memory of 1664	1368	cmd.exe	schtasks.exe
PID 1368 wrote to memory of 1664	1368	cmd.exe	schtasks.exe
PID 1368 wrote to memory of 1664	1368	cmd.exe	schtasks.exe
PID 1716 wrote to memory of 1444	1716	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1716 wrote to memory of 1444	1716	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1716 wrote to memory of 1444	1716	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1716 wrote to memory of 1444	1716	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1716 wrote to memory of 1444	1716	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1716 wrote to memory of 1444	1716	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1716 wrote to memory of 1444	1716	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1716 wrote to memory of 1444	1716	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1716 wrote to memory of 1444	1716	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1716 wrote to memory of 1444	1716	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1716 wrote to memory of 1444	1716	NAMUJS_ETRANSFER_RECEIPT.exe	RegAsm.exe
PID 1516 wrote to memory of 972	1516	taskeng.exe	olkij.exe
PID 1516 wrote to memory of 972	1516	taskeng.exe	olkij.exe
PID 1516 wrote to memory of 972	1516	taskeng.exe	olkij.exe
PID 1516 wrote to memory of 972	1516	taskeng.exe	olkij.exe

C:\Users\Admin\AppData\Local\Temp\NAMUJS_ETRANSFER_RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\NAMUJS_ETRANSFER_RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Local\Temp\olkij.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Local\Temp\olkij.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1664

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\NAMUJS_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Local\Temp\olkij.exe"
2⤵
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\system32\taskeng.exe
taskeng.exe {4C751F78-D777-4E41-BB0E-3A33BC38675A} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\olkij.exe
C:\Users\Admin\AppData\Local\Temp\olkij.exe
2⤵
- Executes dropped EXE
PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\olkij.exe

Filesize
211.6MB

MD5
a5e8f7fab135d423675ceea47eb34382

SHA1
7ec24f1490651b26460c977096d83eeafb670346

SHA256
2e3b69d101bf73f9fc30f192a21d36ba1bf50787f6347b7dcd0bee6466ca69c1

SHA512
34b3f41a8727f6cf03c9150106f1c4721f2be67cf884875d9a5cabb5722f11800b24b6982f67121b5f920ac552266043d438423bfae16a22f85b5609f2dd278f

Download Submit
C:\Users\Admin\AppData\Local\Temp\olkij.exe

Filesize
217.8MB

MD5
83889d9766cf41f2799c51bdb8e68092

SHA1
c5acaffee5c67c527976c9f6b13b6835b5f6ef1b

SHA256
8383b402d5dc3e21fa29aa6180bb2ab1f9d38ff8d1ba1fccd3a6fac4c2e42c07

SHA512
ea07074d10f88df1adfcaac2576feb744e449c80c65fadcbe5f35dee2a71a0ab1bcf6b04e70d24d7c8fb0f632acede93fa9f8c3bd86aea6655f6831634128566

Download Submit
memory/972-75-0x0000000000DC0000-0x0000000000F4A000-memory.dmp

Filesize
1.5MB

Download
memory/972-73-0x0000000000000000-mapping.dmp

Download
memory/1368-55-0x0000000000000000-mapping.dmp

Download
memory/1444-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1444-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1444-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1444-63-0x00000000007E2730-mapping.dmp

Download
memory/1444-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1444-58-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1444-66-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1444-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1444-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1444-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1444-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1444-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1528-56-0x0000000000000000-mapping.dmp

Download
memory/1664-57-0x0000000000000000-mapping.dmp

Download
memory/1716-54-0x00000000013E0000-0x000000000156A000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads