bitrat | ddd8dd0b708e17bc9e76db79925f69b12259ae08b5a1e812a5abc4bdc38e8c3d

General

Target

43_85_73_parsed.exe
Size

3.0MB
MD5

bd22be1e69a4239d389fe343129eb48d
SHA1

4bff5aac0df64899f90172ab1af8783881d3d0d9
SHA256

ddd8dd0b708e17bc9e76db79925f69b12259ae08b5a1e812a5abc4bdc38e8c3d
SHA512

603c8c2986f07c214d6b88ce95fcd34dcb71970adb288db981bb073d774537b34d23dcd80a718d639838d350f39de09fee0459b88fdad3d7fdfbba24a7710899
SSDEEP

49152:sOQ2JptNdkDY3CZHqmwDpu2qNd6T4o427WJUf8gZaDTl4i44A1eSAiEHk1VYZPrE:sCTNdfCZKmsqcT4sCi8gZW5iR1bggSZQ

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitone9090.duckdns.org:9090

bit9090.duckdns.org:9090

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

nbittt9090.exehygt.exe

pid process

1756 nbittt9090.exe
1080 hygt.exe

pid	process
1756	nbittt9090.exe
1080	hygt.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/268-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/268-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/268-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/268-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/268-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/268-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\nbittt9090.exe	upx
\Users\Admin\AppData\Local\Temp\nbittt9090.exe	upx
C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe	upx
behavioral1/memory/268-74-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1756-75-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe	upx
behavioral1/memory/268-81-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1756-82-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1756-85-0x00000000002C0000-0x00000000002CA000-memory.dmp	upx
behavioral1/memory/520-104-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/520-105-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

43_85_73_parsed.exe

pid process

2024 43_85_73_parsed.exe
2024 43_85_73_parsed.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2024	43_85_73_parsed.exe
2024	43_85_73_parsed.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

vbc.exenbittt9090.exevbc.exe

pid	process
268	vbc.exe
268	vbc.exe
268	vbc.exe
268	vbc.exe
268	vbc.exe
1756	nbittt9090.exe
1756	nbittt9090.exe
1756	nbittt9090.exe
1756	nbittt9090.exe
1756	nbittt9090.exe
520	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

43_85_73_parsed.exehygt.exe

description	pid	process	target process
PID 2024 set thread context of 268	2024	43_85_73_parsed.exe	vbc.exe
PID 1080 set thread context of 520	1080	hygt.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

580 schtasks.exe
468 schtasks.exe

pid	process
580	schtasks.exe
468	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vbc.exenbittt9090.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	268	vbc.exe
Token: SeShutdownPrivilege	268	vbc.exe
Token: SeDebugPrivilege	1756	nbittt9090.exe
Token: SeShutdownPrivilege	1756	nbittt9090.exe
Token: SeDebugPrivilege	520	vbc.exe
Token: SeShutdownPrivilege	520	vbc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

vbc.exenbittt9090.exe

pid process

268 vbc.exe
268 vbc.exe
1756 nbittt9090.exe
1756 nbittt9090.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

43_85_73_parsed.execmd.exetaskeng.exehygt.execmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 900	2024	43_85_73_parsed.exe	cmd.exe
PID 2024 wrote to memory of 900	2024	43_85_73_parsed.exe	cmd.exe
PID 2024 wrote to memory of 900	2024	43_85_73_parsed.exe	cmd.exe
PID 2024 wrote to memory of 900	2024	43_85_73_parsed.exe	cmd.exe
PID 900 wrote to memory of 580	900	cmd.exe	schtasks.exe
PID 900 wrote to memory of 580	900	cmd.exe	schtasks.exe
PID 900 wrote to memory of 580	900	cmd.exe	schtasks.exe
PID 900 wrote to memory of 580	900	cmd.exe	schtasks.exe
PID 2024 wrote to memory of 1688	2024	43_85_73_parsed.exe	cmd.exe
PID 2024 wrote to memory of 1688	2024	43_85_73_parsed.exe	cmd.exe
PID 2024 wrote to memory of 1688	2024	43_85_73_parsed.exe	cmd.exe
PID 2024 wrote to memory of 1688	2024	43_85_73_parsed.exe	cmd.exe
PID 2024 wrote to memory of 268	2024	43_85_73_parsed.exe	vbc.exe
PID 2024 wrote to memory of 268	2024	43_85_73_parsed.exe	vbc.exe
PID 2024 wrote to memory of 268	2024	43_85_73_parsed.exe	vbc.exe
PID 2024 wrote to memory of 268	2024	43_85_73_parsed.exe	vbc.exe
PID 2024 wrote to memory of 268	2024	43_85_73_parsed.exe	vbc.exe
PID 2024 wrote to memory of 268	2024	43_85_73_parsed.exe	vbc.exe
PID 2024 wrote to memory of 268	2024	43_85_73_parsed.exe	vbc.exe
PID 2024 wrote to memory of 268	2024	43_85_73_parsed.exe	vbc.exe
PID 2024 wrote to memory of 1756	2024	43_85_73_parsed.exe	nbittt9090.exe
PID 2024 wrote to memory of 1756	2024	43_85_73_parsed.exe	nbittt9090.exe
PID 2024 wrote to memory of 1756	2024	43_85_73_parsed.exe	nbittt9090.exe
PID 2024 wrote to memory of 1756	2024	43_85_73_parsed.exe	nbittt9090.exe
PID 1280 wrote to memory of 1080	1280	taskeng.exe	hygt.exe
PID 1280 wrote to memory of 1080	1280	taskeng.exe	hygt.exe
PID 1280 wrote to memory of 1080	1280	taskeng.exe	hygt.exe
PID 1280 wrote to memory of 1080	1280	taskeng.exe	hygt.exe
PID 1080 wrote to memory of 1372	1080	hygt.exe	cmd.exe
PID 1080 wrote to memory of 1372	1080	hygt.exe	cmd.exe
PID 1080 wrote to memory of 1372	1080	hygt.exe	cmd.exe
PID 1080 wrote to memory of 1372	1080	hygt.exe	cmd.exe
PID 1080 wrote to memory of 1684	1080	hygt.exe	cmd.exe
PID 1080 wrote to memory of 1684	1080	hygt.exe	cmd.exe
PID 1080 wrote to memory of 1684	1080	hygt.exe	cmd.exe
PID 1080 wrote to memory of 1684	1080	hygt.exe	cmd.exe
PID 1372 wrote to memory of 468	1372	cmd.exe	schtasks.exe
PID 1372 wrote to memory of 468	1372	cmd.exe	schtasks.exe
PID 1372 wrote to memory of 468	1372	cmd.exe	schtasks.exe
PID 1372 wrote to memory of 468	1372	cmd.exe	schtasks.exe
PID 1080 wrote to memory of 520	1080	hygt.exe	vbc.exe
PID 1080 wrote to memory of 520	1080	hygt.exe	vbc.exe
PID 1080 wrote to memory of 520	1080	hygt.exe	vbc.exe
PID 1080 wrote to memory of 520	1080	hygt.exe	vbc.exe
PID 1080 wrote to memory of 520	1080	hygt.exe	vbc.exe
PID 1080 wrote to memory of 520	1080	hygt.exe	vbc.exe
PID 1080 wrote to memory of 520	1080	hygt.exe	vbc.exe
PID 1080 wrote to memory of 520	1080	hygt.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\43_85_73_parsed.exe
"C:\Users\Admin\AppData\Local\Temp\43_85_73_parsed.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hygt.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hygt.exe'" /f
3⤵
- Creates scheduled task(s)
PID:580

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\43_85_73_parsed.exe" "C:\Users\Admin\AppData\Roaming\hygt.exe"
2⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:268

C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe
"C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Windows\system32\taskeng.exe
taskeng.exe {2A25933A-3EC9-4124-BDBC-7AAF0557874B} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Roaming\hygt.exe
C:\Users\Admin\AppData\Roaming\hygt.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hygt.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hygt.exe'" /f
4⤵
- Creates scheduled task(s)
PID:468

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hygt.exe" "C:\Users\Admin\AppData\Roaming\hygt.exe"
3⤵
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe

Filesize
1.4MB

MD5
d2d601c4f27a42233076ebc6e05f07f0

SHA1
5a0b561f883b88ca3d4d9bdba5143f103ea83d14

SHA256
dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

SHA512
f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe

Filesize
1.4MB

MD5
d2d601c4f27a42233076ebc6e05f07f0

SHA1
5a0b561f883b88ca3d4d9bdba5143f103ea83d14

SHA256
dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

SHA512
f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

Download Submit
C:\Users\Admin\AppData\Roaming\hygt.exe

Filesize
3.0MB

MD5
bd22be1e69a4239d389fe343129eb48d

SHA1
4bff5aac0df64899f90172ab1af8783881d3d0d9

SHA256
ddd8dd0b708e17bc9e76db79925f69b12259ae08b5a1e812a5abc4bdc38e8c3d

SHA512
603c8c2986f07c214d6b88ce95fcd34dcb71970adb288db981bb073d774537b34d23dcd80a718d639838d350f39de09fee0459b88fdad3d7fdfbba24a7710899

Download Submit
C:\Users\Admin\AppData\Roaming\hygt.exe

Filesize
3.0MB

MD5
bd22be1e69a4239d389fe343129eb48d

SHA1
4bff5aac0df64899f90172ab1af8783881d3d0d9

SHA256
ddd8dd0b708e17bc9e76db79925f69b12259ae08b5a1e812a5abc4bdc38e8c3d

SHA512
603c8c2986f07c214d6b88ce95fcd34dcb71970adb288db981bb073d774537b34d23dcd80a718d639838d350f39de09fee0459b88fdad3d7fdfbba24a7710899

Download Submit
\Users\Admin\AppData\Local\Temp\nbittt9090.exe

Filesize
1.4MB

MD5
d2d601c4f27a42233076ebc6e05f07f0

SHA1
5a0b561f883b88ca3d4d9bdba5143f103ea83d14

SHA256
dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

SHA512
f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

Download Submit
\Users\Admin\AppData\Local\Temp\nbittt9090.exe

Filesize
1.4MB

MD5
d2d601c4f27a42233076ebc6e05f07f0

SHA1
5a0b561f883b88ca3d4d9bdba5143f103ea83d14

SHA256
dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

SHA512
f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

Download Submit
memory/268-84-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/268-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/268-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/268-64-0x00000000007E2730-mapping.dmp

Download
memory/268-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/268-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/268-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/268-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/268-81-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/268-83-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/268-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/268-74-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/268-78-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/268-77-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/468-93-0x0000000000000000-mapping.dmp

Download
memory/520-99-0x00000000007E2730-mapping.dmp

Download
memory/520-104-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/520-105-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/580-57-0x0000000000000000-mapping.dmp

Download
memory/900-56-0x0000000000000000-mapping.dmp

Download
memory/1080-87-0x0000000000000000-mapping.dmp

Download
memory/1080-89-0x0000000000170000-0x000000000046C000-memory.dmp

Filesize
3.0MB

Download
memory/1372-91-0x0000000000000000-mapping.dmp

Download
memory/1684-92-0x0000000000000000-mapping.dmp

Download
memory/1688-58-0x0000000000000000-mapping.dmp

Download
memory/1756-85-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/1756-82-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1756-80-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/1756-79-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/1756-75-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1756-70-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x0000000000CE0000-0x0000000000FDC000-memory.dmp

Filesize
3.0MB

Download
memory/2024-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads