bitrat | 4748b94802d984b33b2fb85bf3b270825eb3eb021f7132d8ccdeca86863e95cd

General

Target

In012657AK.exe
Size

300.0MB
MD5

29845e4bb10cc5b292296e9ad7fb2796
SHA1

4ca80f348bf73f40da9d99861b9aeb721e4cffbd
SHA256

4748b94802d984b33b2fb85bf3b270825eb3eb021f7132d8ccdeca86863e95cd
SHA512

20d03122283459182ac5b74aa36b9cbd7af3a95d9e1695fd60ac8863f9ce2cbac3c1c09224711ed00370febd05d678acb7ad5907b71c56835cbc7fb95f803fb1
SSDEEP

24576:d5rVm/hz8mGTYKHvQoy17AmBr3xQctbOy8wqhzUujv+pPgJ6aIlGb4+Thid0YFB5:d52J6HYoyFA0rhQdm6+Hl7qk0Yl4mgS

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

akatabit1915.duckdns.org:1915

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

1756 svchost.exe
1568 svchost.exe
1124 svchost.exe

pid	process
1756	svchost.exe
1568	svchost.exe
1124	svchost.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2028-57-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2028-59-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2028-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2028-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2028-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2028-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2028-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2028-72-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2028-94-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/648-95-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/648-96-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1252-121-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1252-122-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exe

pid process

2028 RegAsm.exe
2028 RegAsm.exe
2028 RegAsm.exe
2028 RegAsm.exe
648 RegAsm.exe
2028 RegAsm.exe
1252 RegAsm.exe

pid	process
2028	RegAsm.exe
2028	RegAsm.exe
2028	RegAsm.exe
2028	RegAsm.exe
648	RegAsm.exe
2028	RegAsm.exe
1252	RegAsm.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

In012657AK.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1800 set thread context of 2028	1800	In012657AK.exe	RegAsm.exe
PID 1756 set thread context of 648	1756	svchost.exe	RegAsm.exe
PID 1568 set thread context of 1252	1568	svchost.exe	RegAsm.exe
PID 1124 set thread context of 1844	1124	svchost.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1412 schtasks.exe
952 schtasks.exe
1204 schtasks.exe
1768 schtasks.exe

pid	process
1412	schtasks.exe
952	schtasks.exe
1204	schtasks.exe
1768	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2028	RegAsm.exe
Token: SeShutdownPrivilege	2028	RegAsm.exe
Token: SeDebugPrivilege	648	RegAsm.exe
Token: SeShutdownPrivilege	648	RegAsm.exe
Token: SeDebugPrivilege	1252	RegAsm.exe
Token: SeShutdownPrivilege	1252	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

2028 RegAsm.exe
2028 RegAsm.exe

pid	process
2028	RegAsm.exe
2028	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

In012657AK.execmd.exetaskeng.exesvchost.execmd.exesvchost.exe

description	pid	process	target process
PID 1800 wrote to memory of 2028	1800	In012657AK.exe	RegAsm.exe
PID 1800 wrote to memory of 2028	1800	In012657AK.exe	RegAsm.exe
PID 1800 wrote to memory of 2028	1800	In012657AK.exe	RegAsm.exe
PID 1800 wrote to memory of 2028	1800	In012657AK.exe	RegAsm.exe
PID 1800 wrote to memory of 2028	1800	In012657AK.exe	RegAsm.exe
PID 1800 wrote to memory of 2028	1800	In012657AK.exe	RegAsm.exe
PID 1800 wrote to memory of 2028	1800	In012657AK.exe	RegAsm.exe
PID 1800 wrote to memory of 2028	1800	In012657AK.exe	RegAsm.exe
PID 1800 wrote to memory of 2028	1800	In012657AK.exe	RegAsm.exe
PID 1800 wrote to memory of 2028	1800	In012657AK.exe	RegAsm.exe
PID 1800 wrote to memory of 2028	1800	In012657AK.exe	RegAsm.exe
PID 1800 wrote to memory of 1744	1800	In012657AK.exe	cmd.exe
PID 1800 wrote to memory of 1744	1800	In012657AK.exe	cmd.exe
PID 1800 wrote to memory of 1744	1800	In012657AK.exe	cmd.exe
PID 1800 wrote to memory of 1744	1800	In012657AK.exe	cmd.exe
PID 1800 wrote to memory of 1736	1800	In012657AK.exe	cmd.exe
PID 1800 wrote to memory of 1736	1800	In012657AK.exe	cmd.exe
PID 1800 wrote to memory of 1736	1800	In012657AK.exe	cmd.exe
PID 1800 wrote to memory of 1736	1800	In012657AK.exe	cmd.exe
PID 1800 wrote to memory of 624	1800	In012657AK.exe	cmd.exe
PID 1800 wrote to memory of 624	1800	In012657AK.exe	cmd.exe
PID 1800 wrote to memory of 624	1800	In012657AK.exe	cmd.exe
PID 1800 wrote to memory of 624	1800	In012657AK.exe	cmd.exe
PID 1736 wrote to memory of 1412	1736	cmd.exe	schtasks.exe
PID 1736 wrote to memory of 1412	1736	cmd.exe	schtasks.exe
PID 1736 wrote to memory of 1412	1736	cmd.exe	schtasks.exe
PID 1736 wrote to memory of 1412	1736	cmd.exe	schtasks.exe
PID 1560 wrote to memory of 1756	1560	taskeng.exe	svchost.exe
PID 1560 wrote to memory of 1756	1560	taskeng.exe	svchost.exe
PID 1560 wrote to memory of 1756	1560	taskeng.exe	svchost.exe
PID 1560 wrote to memory of 1756	1560	taskeng.exe	svchost.exe
PID 1756 wrote to memory of 648	1756	svchost.exe	RegAsm.exe
PID 1756 wrote to memory of 648	1756	svchost.exe	RegAsm.exe
PID 1756 wrote to memory of 648	1756	svchost.exe	RegAsm.exe
PID 1756 wrote to memory of 648	1756	svchost.exe	RegAsm.exe
PID 1756 wrote to memory of 648	1756	svchost.exe	RegAsm.exe
PID 1756 wrote to memory of 648	1756	svchost.exe	RegAsm.exe
PID 1756 wrote to memory of 648	1756	svchost.exe	RegAsm.exe
PID 1756 wrote to memory of 648	1756	svchost.exe	RegAsm.exe
PID 1756 wrote to memory of 648	1756	svchost.exe	RegAsm.exe
PID 1756 wrote to memory of 648	1756	svchost.exe	RegAsm.exe
PID 1756 wrote to memory of 648	1756	svchost.exe	RegAsm.exe
PID 1756 wrote to memory of 1508	1756	svchost.exe	cmd.exe
PID 1756 wrote to memory of 1508	1756	svchost.exe	cmd.exe
PID 1756 wrote to memory of 1508	1756	svchost.exe	cmd.exe
PID 1756 wrote to memory of 1508	1756	svchost.exe	cmd.exe
PID 1756 wrote to memory of 1600	1756	svchost.exe	cmd.exe
PID 1756 wrote to memory of 1600	1756	svchost.exe	cmd.exe
PID 1756 wrote to memory of 1600	1756	svchost.exe	cmd.exe
PID 1756 wrote to memory of 1600	1756	svchost.exe	cmd.exe
PID 1756 wrote to memory of 1460	1756	svchost.exe	cmd.exe
PID 1756 wrote to memory of 1460	1756	svchost.exe	cmd.exe
PID 1756 wrote to memory of 1460	1756	svchost.exe	cmd.exe
PID 1756 wrote to memory of 1460	1756	svchost.exe	cmd.exe
PID 1600 wrote to memory of 952	1600	cmd.exe	schtasks.exe
PID 1600 wrote to memory of 952	1600	cmd.exe	schtasks.exe
PID 1600 wrote to memory of 952	1600	cmd.exe	schtasks.exe
PID 1600 wrote to memory of 952	1600	cmd.exe	schtasks.exe
PID 1560 wrote to memory of 1568	1560	taskeng.exe	svchost.exe
PID 1560 wrote to memory of 1568	1560	taskeng.exe	svchost.exe
PID 1560 wrote to memory of 1568	1560	taskeng.exe	svchost.exe
PID 1560 wrote to memory of 1568	1560	taskeng.exe	svchost.exe
PID 1568 wrote to memory of 1252	1568	svchost.exe	RegAsm.exe
PID 1568 wrote to memory of 1252	1568	svchost.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\In012657AK.exe
"C:\Users\Admin\AppData\Local\Temp\In012657AK.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1412

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\In012657AK.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:624

C:\Windows\system32\taskeng.exe
taskeng.exe {2B111AE8-19DF-45BD-8985-845FF9577096} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
3⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
4⤵
- Creates scheduled task(s)
PID:952

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
PID:1460

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
3⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
PID:1736

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1204

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
PID:584

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
3⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
PID:1076

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1768

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
300.0MB

MD5
29845e4bb10cc5b292296e9ad7fb2796

SHA1
4ca80f348bf73f40da9d99861b9aeb721e4cffbd

SHA256
4748b94802d984b33b2fb85bf3b270825eb3eb021f7132d8ccdeca86863e95cd

SHA512
20d03122283459182ac5b74aa36b9cbd7af3a95d9e1695fd60ac8863f9ce2cbac3c1c09224711ed00370febd05d678acb7ad5907b71c56835cbc7fb95f803fb1

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
194.4MB

MD5
298b7f6159b02b36b3d02f00dfaf59de

SHA1
dbe87c9f194a7b17d6082d11c60ce3b7164cdc69

SHA256
d5622fa4ed4421f323eb7b5b84af4b30632e0f30059815df567bd65a5805f88f

SHA512
59abb02ad7e2aa58be890613ad1d965046325d2aa1c45382cd235f42e27262346f3c2fc28550826ea4c89cefca28c5d9181ed19f4b8be3f5f8d4c86ea49eb548

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
300.0MB

MD5
29845e4bb10cc5b292296e9ad7fb2796

SHA1
4ca80f348bf73f40da9d99861b9aeb721e4cffbd

SHA256
4748b94802d984b33b2fb85bf3b270825eb3eb021f7132d8ccdeca86863e95cd

SHA512
20d03122283459182ac5b74aa36b9cbd7af3a95d9e1695fd60ac8863f9ce2cbac3c1c09224711ed00370febd05d678acb7ad5907b71c56835cbc7fb95f803fb1

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
300.0MB

MD5
29845e4bb10cc5b292296e9ad7fb2796

SHA1
4ca80f348bf73f40da9d99861b9aeb721e4cffbd

SHA256
4748b94802d984b33b2fb85bf3b270825eb3eb021f7132d8ccdeca86863e95cd

SHA512
20d03122283459182ac5b74aa36b9cbd7af3a95d9e1695fd60ac8863f9ce2cbac3c1c09224711ed00370febd05d678acb7ad5907b71c56835cbc7fb95f803fb1

Download Submit
memory/584-119-0x0000000000000000-mapping.dmp

Download
memory/624-66-0x0000000000000000-mapping.dmp

Download
memory/648-95-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/648-83-0x00000000007E2730-mapping.dmp

Download
memory/648-96-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/952-93-0x0000000000000000-mapping.dmp

Download
memory/988-138-0x0000000000000000-mapping.dmp

Download
memory/1076-137-0x0000000000000000-mapping.dmp

Download
memory/1124-125-0x0000000001060000-0x0000000001214000-memory.dmp

Filesize
1.7MB

Download
memory/1124-123-0x0000000000000000-mapping.dmp

Download
memory/1148-133-0x0000000000000000-mapping.dmp

Download
memory/1204-120-0x0000000000000000-mapping.dmp

Download
memory/1252-110-0x00000000007E2730-mapping.dmp

Download
memory/1252-121-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1252-122-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1412-68-0x0000000000000000-mapping.dmp

Download
memory/1460-91-0x0000000000000000-mapping.dmp

Download
memory/1508-86-0x0000000000000000-mapping.dmp

Download
memory/1520-117-0x0000000000000000-mapping.dmp

Download
memory/1568-103-0x0000000001060000-0x0000000001214000-memory.dmp

Filesize
1.7MB

Download
memory/1568-101-0x0000000000000000-mapping.dmp

Download
memory/1600-87-0x0000000000000000-mapping.dmp

Download
memory/1736-118-0x0000000000000000-mapping.dmp

Download
memory/1736-65-0x0000000000000000-mapping.dmp

Download
memory/1744-63-0x0000000000000000-mapping.dmp

Download
memory/1756-76-0x0000000000850000-0x0000000000A04000-memory.dmp

Filesize
1.7MB

Download
memory/1756-74-0x0000000000000000-mapping.dmp

Download
memory/1768-142-0x0000000000000000-mapping.dmp

Download
memory/1800-55-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1800-54-0x0000000000F50000-0x0000000001104000-memory.dmp

Filesize
1.7MB

Download
memory/1844-132-0x00000000007E2730-mapping.dmp

Download
memory/2028-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2028-61-0x00000000007E2730-mapping.dmp

Download
memory/2028-100-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/2028-99-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/2028-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2028-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2028-98-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/2028-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2028-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2028-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2028-57-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2028-97-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/2028-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2028-72-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2028-94-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads