bitrat | 02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5

Analysis

max time kernel
150s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
26/10/2022, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
Size

4.6MB
MD5

3056792cfe11d96217fa3626f3ab6a5f
SHA1

d2b732a35d22e32dbc265957e624c667012a6a18
SHA256

02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5
SHA512

c7e217193294760af3bfb12ff4e7ed327faf9ba09e05d3927eaba26385ce9853ff42685cdabff00fbe6c1461ce5c772afc7a158d72da9e33039da0ee828789c8
SSDEEP

24576:2RlFlAOYfBKbQzW3I+ps4NCmntjDesG5InScdbJaP1tVpVzKGeGCvCr2F1xgLAZ4:

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

gh9st.mywire.org:5005

Attributes

communication_password
803355ca422bf9b37bc523a750e21842
install_dir
svcsvc
install_file
svcsvc.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\PUTTY = "\"C:\\Users\\Admin\\AppData\\Roaming\\PUTTY.EXE\""	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcsvc = "C:\\Users\\Admin\\AppData\\Local\\svcsvc\\svcsvc.exe"	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcsvc = "C:\\Users\\Admin\\AppData\\Local\\svcsvc\\svcsvc.exe\uf800"	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\svcsvc = "C:\\Users\\Admin\\AppData\\Local\\svcsvc\\svcsvc.exe\uff00"	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3844 set thread context of 4780	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	69

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4272	powershell.exe
4272	powershell.exe
4272	powershell.exe
3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe

Suspicious behavior: RenamesItself 16 IoCs

pid	Process
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
Token: SeShutdownPrivilege	4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
4780	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 4272	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	66
PID 3844 wrote to memory of 4272	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	66
PID 3844 wrote to memory of 4272	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	66
PID 3844 wrote to memory of 4728	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	68
PID 3844 wrote to memory of 4728	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	68
PID 3844 wrote to memory of 4728	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	68
PID 3844 wrote to memory of 4780	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	69
PID 3844 wrote to memory of 4780	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	69
PID 3844 wrote to memory of 4780	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	69
PID 3844 wrote to memory of 4780	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	69
PID 3844 wrote to memory of 4780	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	69
PID 3844 wrote to memory of 4780	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	69
PID 3844 wrote to memory of 4780	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	69
PID 3844 wrote to memory of 4780	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	69
PID 3844 wrote to memory of 4780	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	69
PID 3844 wrote to memory of 4780	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	69
PID 3844 wrote to memory of 4780	3844	02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe	69

C:\Users\Admin\AppData\Local\Temp\02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
"C:\Users\Admin\AppData\Local\Temp\02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Users\Admin\AppData\Local\Temp\02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
  C:\Users\Admin\AppData\Local\Temp\02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
  2⤵
  PID:4728
- C:\Users\Admin\AppData\Local\Temp\02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
  C:\Users\Admin\AppData\Local\Temp\02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3844-115-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-116-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-117-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-118-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-119-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-120-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-121-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-122-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-123-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-124-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-125-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-126-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-127-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-128-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-129-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-130-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-131-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-132-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-133-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-134-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-135-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-136-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-137-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-138-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-139-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-140-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-141-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-142-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-143-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-144-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-145-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-146-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-147-0x0000000000D10000-0x00000000011AE000-memory.dmp

Filesize
4.6MB

Download
memory/3844-149-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-148-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-150-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-151-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-152-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-153-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-154-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-155-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-156-0x0000000006A30000-0x0000000006C80000-memory.dmp

Filesize
2.3MB

Download
memory/3844-157-0x0000000006E20000-0x0000000007026000-memory.dmp

Filesize
2.0MB

Download
memory/3844-158-0x0000000007030000-0x00000000070C2000-memory.dmp

Filesize
584KB

Download
memory/3844-159-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-160-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-161-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-162-0x00000000070C0000-0x00000000070E2000-memory.dmp

Filesize
136KB

Download
memory/3844-163-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-164-0x00000000070F0000-0x0000000007440000-memory.dmp

Filesize
3.3MB

Download
memory/3844-165-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-166-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-167-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-168-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-169-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-170-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-171-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-172-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-173-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-174-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-175-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-176-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-177-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-178-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-179-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-180-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-181-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-182-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-183-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-185-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-220-0x0000000004A50000-0x0000000004A86000-memory.dmp

Filesize
216KB

Download
memory/4272-225-0x00000000077C0000-0x0000000007DE8000-memory.dmp

Filesize
6.2MB

Download
memory/4272-244-0x0000000007540000-0x00000000075A6000-memory.dmp

Filesize
408KB

Download
memory/4272-245-0x0000000007E70000-0x0000000007ED6000-memory.dmp

Filesize
408KB

Download
memory/4272-248-0x0000000007790000-0x00000000077AC000-memory.dmp

Filesize
112KB

Download
memory/4272-249-0x0000000008360000-0x00000000083AB000-memory.dmp

Filesize
300KB

Download
memory/4272-253-0x00000000085E0000-0x0000000008656000-memory.dmp

Filesize
472KB

Download
memory/4272-264-0x0000000009DD0000-0x000000000A448000-memory.dmp

Filesize
6.5MB

Download
memory/4272-265-0x0000000009360000-0x000000000937A000-memory.dmp

Filesize
104KB

Download
memory/4780-308-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4780-337-0x0000000073400000-0x000000007343A000-memory.dmp

Filesize
232KB

Download
memory/4780-370-0x00000000733D0000-0x000000007340A000-memory.dmp

Filesize
232KB

Download
memory/4780-387-0x00000000733B0000-0x00000000733EA000-memory.dmp

Filesize
232KB

Download
memory/4780-388-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4780-405-0x00000000733B0000-0x00000000733EA000-memory.dmp

Filesize
232KB

Download
memory/4780-422-0x00000000733B0000-0x00000000733EA000-memory.dmp

Filesize
232KB

Download
memory/4780-434-0x00000000733B0000-0x00000000733EA000-memory.dmp

Filesize
232KB

Download