bitrat | e9e3154e1f71df58e61ade53bb23726927b5c23e8027a452e98b1dbcfafb1ade

General

Target

43_85_73.exe
Size

300.0MB
MD5

8f9d8cc6161e6f0fb40e39d8cc48b041
SHA1

0e97ec09f7e2c4657b088f2089f069c168668a91
SHA256

1c8b09e66801723b6f31af1635a5582cc4445e277bd97bc16890c32378b7264c
SHA512

e48eb929e215095684ca276410bb67f305248ba745443ec6c4eac0ed7704519f35ca7004b8e523533facb5f540a809d1dfbd99061591c44f5fe378d772dc14ef
SSDEEP

196608:sCffCUms3Tei8piR+ZPrUQUUUUUJUUUUUU:1CKSidEPQ

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bit9090.duckdns.org:9090

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 3 IoCs

Processes:

nbittt9090.exehygt.exehygt.exe

pid process

4228 nbittt9090.exe
2356 hygt.exe
4640 hygt.exe

pid	process
4228	nbittt9090.exe
2356	hygt.exe
4640	hygt.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4572-139-0x0000000000B00000-0x0000000000EE4000-memory.dmp	upx
behavioral2/memory/4572-140-0x0000000000B00000-0x0000000000EE4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe	upx
C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe	upx
behavioral2/memory/4228-144-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4228-149-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1312-155-0x0000000000D00000-0x00000000010E4000-memory.dmp	upx
behavioral2/memory/1312-156-0x0000000000D00000-0x00000000010E4000-memory.dmp	upx
behavioral2/memory/2808-165-0x0000000000800000-0x0000000000BE4000-memory.dmp	upx
behavioral2/memory/2808-166-0x0000000000800000-0x0000000000BE4000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

43_85_73.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	43_85_73.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

nbittt9090.exe

pid process

4228 nbittt9090.exe
4228 nbittt9090.exe
4228 nbittt9090.exe
4228 nbittt9090.exe
4228 nbittt9090.exe
4228 nbittt9090.exe

pid	process
4228	nbittt9090.exe
4228	nbittt9090.exe
4228	nbittt9090.exe
4228	nbittt9090.exe
4228	nbittt9090.exe
4228	nbittt9090.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

43_85_73.exehygt.exehygt.exe

description	pid	process	target process
PID 4760 set thread context of 4572	4760	43_85_73.exe	vbc.exe
PID 2356 set thread context of 1312	2356	hygt.exe	vbc.exe
PID 4640 set thread context of 2808	4640	hygt.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

360 4572 WerFault.exe vbc.exe
2176 1312 WerFault.exe vbc.exe
1572 2808 WerFault.exe vbc.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

728 schtasks.exe
932 schtasks.exe
3448 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nbittt9090.exe

description pid process

Token: SeShutdownPrivilege 4228 nbittt9090.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

nbittt9090.exe

pid process

4228 nbittt9090.exe
4228 nbittt9090.exe

pid	pid_target	process	target process
360	4572	WerFault.exe	vbc.exe
2176	1312	WerFault.exe	vbc.exe
1572	2808	WerFault.exe	vbc.exe

pid	process
728	schtasks.exe
932	schtasks.exe
3448	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	4228	nbittt9090.exe

pid	process
4228	nbittt9090.exe
4228	nbittt9090.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

43_85_73.execmd.exehygt.execmd.exehygt.execmd.exe

description	pid	process	target process
PID 4760 wrote to memory of 2380	4760	43_85_73.exe	cmd.exe
PID 4760 wrote to memory of 2380	4760	43_85_73.exe	cmd.exe
PID 4760 wrote to memory of 2380	4760	43_85_73.exe	cmd.exe
PID 2380 wrote to memory of 728	2380	cmd.exe	schtasks.exe
PID 2380 wrote to memory of 728	2380	cmd.exe	schtasks.exe
PID 2380 wrote to memory of 728	2380	cmd.exe	schtasks.exe
PID 4760 wrote to memory of 824	4760	43_85_73.exe	cmd.exe
PID 4760 wrote to memory of 824	4760	43_85_73.exe	cmd.exe
PID 4760 wrote to memory of 824	4760	43_85_73.exe	cmd.exe
PID 4760 wrote to memory of 4572	4760	43_85_73.exe	vbc.exe
PID 4760 wrote to memory of 4572	4760	43_85_73.exe	vbc.exe
PID 4760 wrote to memory of 4572	4760	43_85_73.exe	vbc.exe
PID 4760 wrote to memory of 4572	4760	43_85_73.exe	vbc.exe
PID 4760 wrote to memory of 4572	4760	43_85_73.exe	vbc.exe
PID 4760 wrote to memory of 4572	4760	43_85_73.exe	vbc.exe
PID 4760 wrote to memory of 4572	4760	43_85_73.exe	vbc.exe
PID 4760 wrote to memory of 4228	4760	43_85_73.exe	nbittt9090.exe
PID 4760 wrote to memory of 4228	4760	43_85_73.exe	nbittt9090.exe
PID 4760 wrote to memory of 4228	4760	43_85_73.exe	nbittt9090.exe
PID 2356 wrote to memory of 5000	2356	hygt.exe	cmd.exe
PID 2356 wrote to memory of 5000	2356	hygt.exe	cmd.exe
PID 2356 wrote to memory of 5000	2356	hygt.exe	cmd.exe
PID 2356 wrote to memory of 4304	2356	hygt.exe	cmd.exe
PID 2356 wrote to memory of 4304	2356	hygt.exe	cmd.exe
PID 2356 wrote to memory of 4304	2356	hygt.exe	cmd.exe
PID 5000 wrote to memory of 932	5000	cmd.exe	schtasks.exe
PID 5000 wrote to memory of 932	5000	cmd.exe	schtasks.exe
PID 5000 wrote to memory of 932	5000	cmd.exe	schtasks.exe
PID 2356 wrote to memory of 1312	2356	hygt.exe	vbc.exe
PID 2356 wrote to memory of 1312	2356	hygt.exe	vbc.exe
PID 2356 wrote to memory of 1312	2356	hygt.exe	vbc.exe
PID 2356 wrote to memory of 1312	2356	hygt.exe	vbc.exe
PID 2356 wrote to memory of 1312	2356	hygt.exe	vbc.exe
PID 2356 wrote to memory of 1312	2356	hygt.exe	vbc.exe
PID 2356 wrote to memory of 1312	2356	hygt.exe	vbc.exe
PID 4640 wrote to memory of 3032	4640	hygt.exe	cmd.exe
PID 4640 wrote to memory of 3032	4640	hygt.exe	cmd.exe
PID 4640 wrote to memory of 3032	4640	hygt.exe	cmd.exe
PID 3032 wrote to memory of 3448	3032	cmd.exe	schtasks.exe
PID 3032 wrote to memory of 3448	3032	cmd.exe	schtasks.exe
PID 3032 wrote to memory of 3448	3032	cmd.exe	schtasks.exe
PID 4640 wrote to memory of 2120	4640	hygt.exe	cmd.exe
PID 4640 wrote to memory of 2120	4640	hygt.exe	cmd.exe
PID 4640 wrote to memory of 2120	4640	hygt.exe	cmd.exe
PID 4640 wrote to memory of 2808	4640	hygt.exe	vbc.exe
PID 4640 wrote to memory of 2808	4640	hygt.exe	vbc.exe
PID 4640 wrote to memory of 2808	4640	hygt.exe	vbc.exe
PID 4640 wrote to memory of 2808	4640	hygt.exe	vbc.exe
PID 4640 wrote to memory of 2808	4640	hygt.exe	vbc.exe
PID 4640 wrote to memory of 2808	4640	hygt.exe	vbc.exe
PID 4640 wrote to memory of 2808	4640	hygt.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\43_85_73.exe
"C:\Users\Admin\AppData\Local\Temp\43_85_73.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hygt.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hygt.exe'" /f
3⤵
- Creates scheduled task(s)
PID:728

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\43_85_73.exe" "C:\Users\Admin\AppData\Roaming\hygt.exe"
2⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 188
3⤵
- Program crash
PID:360

C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe
"C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4572 -ip 4572
1⤵
PID:1520

C:\Users\Admin\AppData\Roaming\hygt.exe
C:\Users\Admin\AppData\Roaming\hygt.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hygt.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hygt.exe'" /f
3⤵
- Creates scheduled task(s)
PID:932

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hygt.exe" "C:\Users\Admin\AppData\Roaming\hygt.exe"
2⤵
PID:4304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 188
3⤵
- Program crash
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1312 -ip 1312
1⤵
PID:4044

C:\Users\Admin\AppData\Roaming\hygt.exe
C:\Users\Admin\AppData\Roaming\hygt.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hygt.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\hygt.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3448

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hygt.exe" "C:\Users\Admin\AppData\Roaming\hygt.exe"
2⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 188
3⤵
- Program crash
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2808 -ip 2808
1⤵
PID:4196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hygt.exe.log

Filesize
520B

MD5
41c37de2b4598f7759f865817dba5f80

SHA1
884ccf344bc2dd409425dc5ace0fd909a5f8cce4

SHA256
427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc

SHA512
a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe

Filesize
1.4MB

MD5
d2d601c4f27a42233076ebc6e05f07f0

SHA1
5a0b561f883b88ca3d4d9bdba5143f103ea83d14

SHA256
dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

SHA512
f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbittt9090.exe

Filesize
1.4MB

MD5
d2d601c4f27a42233076ebc6e05f07f0

SHA1
5a0b561f883b88ca3d4d9bdba5143f103ea83d14

SHA256
dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

SHA512
f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

Download Submit
C:\Users\Admin\AppData\Roaming\hygt.exe

Filesize
300.0MB

MD5
8f9d8cc6161e6f0fb40e39d8cc48b041

SHA1
0e97ec09f7e2c4657b088f2089f069c168668a91

SHA256
1c8b09e66801723b6f31af1635a5582cc4445e277bd97bc16890c32378b7264c

SHA512
e48eb929e215095684ca276410bb67f305248ba745443ec6c4eac0ed7704519f35ca7004b8e523533facb5f540a809d1dfbd99061591c44f5fe378d772dc14ef

Download Submit
C:\Users\Admin\AppData\Roaming\hygt.exe

Filesize
300.0MB

MD5
8f9d8cc6161e6f0fb40e39d8cc48b041

SHA1
0e97ec09f7e2c4657b088f2089f069c168668a91

SHA256
1c8b09e66801723b6f31af1635a5582cc4445e277bd97bc16890c32378b7264c

SHA512
e48eb929e215095684ca276410bb67f305248ba745443ec6c4eac0ed7704519f35ca7004b8e523533facb5f540a809d1dfbd99061591c44f5fe378d772dc14ef

Download Submit
C:\Users\Admin\AppData\Roaming\hygt.exe

Filesize
300.0MB

MD5
8f9d8cc6161e6f0fb40e39d8cc48b041

SHA1
0e97ec09f7e2c4657b088f2089f069c168668a91

SHA256
1c8b09e66801723b6f31af1635a5582cc4445e277bd97bc16890c32378b7264c

SHA512
e48eb929e215095684ca276410bb67f305248ba745443ec6c4eac0ed7704519f35ca7004b8e523533facb5f540a809d1dfbd99061591c44f5fe378d772dc14ef

Download Submit
memory/728-134-0x0000000000000000-mapping.dmp

Download
memory/824-136-0x0000000000000000-mapping.dmp

Download
memory/932-152-0x0000000000000000-mapping.dmp

Download
memory/1312-156-0x0000000000D00000-0x00000000010E4000-memory.dmp

Filesize
3.9MB

Download
memory/1312-155-0x0000000000D00000-0x00000000010E4000-memory.dmp

Filesize
3.9MB

Download
memory/1312-153-0x0000000000000000-mapping.dmp

Download
memory/2120-162-0x0000000000000000-mapping.dmp

Download
memory/2380-133-0x0000000000000000-mapping.dmp

Download
memory/2808-163-0x0000000000000000-mapping.dmp

Download
memory/2808-165-0x0000000000800000-0x0000000000BE4000-memory.dmp

Filesize
3.9MB

Download
memory/2808-166-0x0000000000800000-0x0000000000BE4000-memory.dmp

Filesize
3.9MB

Download
memory/3032-160-0x0000000000000000-mapping.dmp

Download
memory/3448-161-0x0000000000000000-mapping.dmp

Download
memory/4228-141-0x0000000000000000-mapping.dmp

Download
memory/4228-149-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4228-148-0x0000000071B30000-0x0000000071B69000-memory.dmp

Filesize
228KB

Download
memory/4228-147-0x0000000071E70000-0x0000000071EA9000-memory.dmp

Filesize
228KB

Download
memory/4228-159-0x0000000071340000-0x0000000071379000-memory.dmp

Filesize
228KB

Download
memory/4228-144-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4304-151-0x0000000000000000-mapping.dmp

Download
memory/4572-140-0x0000000000B00000-0x0000000000EE4000-memory.dmp

Filesize
3.9MB

Download
memory/4572-139-0x0000000000B00000-0x0000000000EE4000-memory.dmp

Filesize
3.9MB

Download
memory/4572-137-0x0000000000000000-mapping.dmp

Download
memory/4760-132-0x0000000000AE0000-0x0000000000DDC000-memory.dmp

Filesize
3.0MB

Download
memory/4760-135-0x0000000005FB0000-0x0000000006554000-memory.dmp

Filesize
5.6MB

Download
memory/5000-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads