bitrat | db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

827615424_PDF_parsed.exe
Size

1.5MB
MD5

cd33f6e84ebfe15dab41be1319122907
SHA1

bff44bfcd5d534a2ce2ea8cab944391e7f55abc1
SHA256

db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a
SHA512

6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b
SSDEEP

49152:Vnm4UcmDYIbFaTI39LMK44bFh1DgtJaJk4UUUUUJUUUUUU:x6blbku9Le4bFhuO1UUUUUJUUUUUU

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

bitone9090.duckdns.org:9090

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

jkgtr.exejkgtr.exe

pid process

1092 jkgtr.exe
1676 jkgtr.exe

pid	process
1092	jkgtr.exe
1676	jkgtr.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1356-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1356-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1356-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1356-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1356-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1356-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1356-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1356-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1356-79-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1068-91-0x0000000000500000-0x00000000008E4000-memory.dmp	upx
behavioral1/memory/1068-92-0x0000000000500000-0x00000000008E4000-memory.dmp	upx
behavioral1/memory/1068-95-0x0000000000500000-0x00000000008E4000-memory.dmp	upx
behavioral1/memory/1068-97-0x0000000000500000-0x00000000008E4000-memory.dmp	upx
behavioral1/memory/1068-98-0x0000000000500000-0x00000000008E4000-memory.dmp	upx
behavioral1/memory/1496-112-0x0000000000440000-0x0000000000824000-memory.dmp	upx
behavioral1/memory/1496-113-0x0000000000440000-0x0000000000824000-memory.dmp	upx
behavioral1/memory/1496-116-0x0000000000440000-0x0000000000824000-memory.dmp	upx
behavioral1/memory/1496-118-0x0000000000440000-0x0000000000824000-memory.dmp	upx
behavioral1/memory/1496-119-0x0000000000440000-0x0000000000824000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exe

pid process

1356 RegAsm.exe
1356 RegAsm.exe
1356 RegAsm.exe
1356 RegAsm.exe
1356 RegAsm.exe
1068 RegAsm.exe
1496 RegAsm.exe

pid	process
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1356	RegAsm.exe
1068	RegAsm.exe
1496	RegAsm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

827615424_PDF_parsed.exejkgtr.exejkgtr.exe

description	pid	process	target process
PID 1696 set thread context of 1356	1696	827615424_PDF_parsed.exe	RegAsm.exe
PID 1092 set thread context of 1068	1092	jkgtr.exe	RegAsm.exe
PID 1676 set thread context of 1496	1676	jkgtr.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1352 schtasks.exe
1060 schtasks.exe
1080 schtasks.exe

pid	process
1352	schtasks.exe
1060	schtasks.exe
1080	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1356	RegAsm.exe
Token: SeShutdownPrivilege	1356	RegAsm.exe
Token: SeDebugPrivilege	1068	RegAsm.exe
Token: SeShutdownPrivilege	1068	RegAsm.exe
Token: SeDebugPrivilege	1496	RegAsm.exe
Token: SeShutdownPrivilege	1496	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

1356 RegAsm.exe
1356 RegAsm.exe

pid	process
1356	RegAsm.exe
1356	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

827615424_PDF_parsed.execmd.exetaskeng.exejkgtr.execmd.exejkgtr.execmd.exe

description	pid	process	target process
PID 1696 wrote to memory of 1732	1696	827615424_PDF_parsed.exe	cmd.exe
PID 1696 wrote to memory of 1732	1696	827615424_PDF_parsed.exe	cmd.exe
PID 1696 wrote to memory of 1732	1696	827615424_PDF_parsed.exe	cmd.exe
PID 1696 wrote to memory of 1732	1696	827615424_PDF_parsed.exe	cmd.exe
PID 1732 wrote to memory of 1352	1732	cmd.exe	schtasks.exe
PID 1732 wrote to memory of 1352	1732	cmd.exe	schtasks.exe
PID 1732 wrote to memory of 1352	1732	cmd.exe	schtasks.exe
PID 1732 wrote to memory of 1352	1732	cmd.exe	schtasks.exe
PID 1696 wrote to memory of 320	1696	827615424_PDF_parsed.exe	cmd.exe
PID 1696 wrote to memory of 320	1696	827615424_PDF_parsed.exe	cmd.exe
PID 1696 wrote to memory of 320	1696	827615424_PDF_parsed.exe	cmd.exe
PID 1696 wrote to memory of 320	1696	827615424_PDF_parsed.exe	cmd.exe
PID 1696 wrote to memory of 1356	1696	827615424_PDF_parsed.exe	RegAsm.exe
PID 1696 wrote to memory of 1356	1696	827615424_PDF_parsed.exe	RegAsm.exe
PID 1696 wrote to memory of 1356	1696	827615424_PDF_parsed.exe	RegAsm.exe
PID 1696 wrote to memory of 1356	1696	827615424_PDF_parsed.exe	RegAsm.exe
PID 1696 wrote to memory of 1356	1696	827615424_PDF_parsed.exe	RegAsm.exe
PID 1696 wrote to memory of 1356	1696	827615424_PDF_parsed.exe	RegAsm.exe
PID 1696 wrote to memory of 1356	1696	827615424_PDF_parsed.exe	RegAsm.exe
PID 1696 wrote to memory of 1356	1696	827615424_PDF_parsed.exe	RegAsm.exe
PID 1696 wrote to memory of 1356	1696	827615424_PDF_parsed.exe	RegAsm.exe
PID 1696 wrote to memory of 1356	1696	827615424_PDF_parsed.exe	RegAsm.exe
PID 1696 wrote to memory of 1356	1696	827615424_PDF_parsed.exe	RegAsm.exe
PID 1536 wrote to memory of 1092	1536	taskeng.exe	jkgtr.exe
PID 1536 wrote to memory of 1092	1536	taskeng.exe	jkgtr.exe
PID 1536 wrote to memory of 1092	1536	taskeng.exe	jkgtr.exe
PID 1536 wrote to memory of 1092	1536	taskeng.exe	jkgtr.exe
PID 1092 wrote to memory of 744	1092	jkgtr.exe	cmd.exe
PID 1092 wrote to memory of 744	1092	jkgtr.exe	cmd.exe
PID 1092 wrote to memory of 744	1092	jkgtr.exe	cmd.exe
PID 1092 wrote to memory of 744	1092	jkgtr.exe	cmd.exe
PID 744 wrote to memory of 1060	744	cmd.exe	schtasks.exe
PID 744 wrote to memory of 1060	744	cmd.exe	schtasks.exe
PID 744 wrote to memory of 1060	744	cmd.exe	schtasks.exe
PID 744 wrote to memory of 1060	744	cmd.exe	schtasks.exe
PID 1092 wrote to memory of 268	1092	jkgtr.exe	cmd.exe
PID 1092 wrote to memory of 268	1092	jkgtr.exe	cmd.exe
PID 1092 wrote to memory of 268	1092	jkgtr.exe	cmd.exe
PID 1092 wrote to memory of 268	1092	jkgtr.exe	cmd.exe
PID 1092 wrote to memory of 1068	1092	jkgtr.exe	RegAsm.exe
PID 1092 wrote to memory of 1068	1092	jkgtr.exe	RegAsm.exe
PID 1092 wrote to memory of 1068	1092	jkgtr.exe	RegAsm.exe
PID 1092 wrote to memory of 1068	1092	jkgtr.exe	RegAsm.exe
PID 1092 wrote to memory of 1068	1092	jkgtr.exe	RegAsm.exe
PID 1092 wrote to memory of 1068	1092	jkgtr.exe	RegAsm.exe
PID 1092 wrote to memory of 1068	1092	jkgtr.exe	RegAsm.exe
PID 1092 wrote to memory of 1068	1092	jkgtr.exe	RegAsm.exe
PID 1092 wrote to memory of 1068	1092	jkgtr.exe	RegAsm.exe
PID 1092 wrote to memory of 1068	1092	jkgtr.exe	RegAsm.exe
PID 1092 wrote to memory of 1068	1092	jkgtr.exe	RegAsm.exe
PID 1536 wrote to memory of 1676	1536	taskeng.exe	jkgtr.exe
PID 1536 wrote to memory of 1676	1536	taskeng.exe	jkgtr.exe
PID 1536 wrote to memory of 1676	1536	taskeng.exe	jkgtr.exe
PID 1536 wrote to memory of 1676	1536	taskeng.exe	jkgtr.exe
PID 1676 wrote to memory of 976	1676	jkgtr.exe	cmd.exe
PID 1676 wrote to memory of 976	1676	jkgtr.exe	cmd.exe
PID 1676 wrote to memory of 976	1676	jkgtr.exe	cmd.exe
PID 1676 wrote to memory of 976	1676	jkgtr.exe	cmd.exe
PID 976 wrote to memory of 1080	976	cmd.exe	schtasks.exe
PID 976 wrote to memory of 1080	976	cmd.exe	schtasks.exe
PID 976 wrote to memory of 1080	976	cmd.exe	schtasks.exe
PID 976 wrote to memory of 1080	976	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 1672	1676	jkgtr.exe	cmd.exe
PID 1676 wrote to memory of 1672	1676	jkgtr.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\827615424_PDF_parsed.exe
"C:\Users\Admin\AppData\Local\Temp\827615424_PDF_parsed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1352

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\827615424_PDF_parsed.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
2⤵
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1356

C:\Windows\system32\taskeng.exe
taskeng.exe {E4811EC3-318E-4AAA-BB0E-8321F1CB1E75} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1060

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jkgtr.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
3⤵
PID:268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1080

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jkgtr.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
3⤵
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\jkgtr.exe

Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe

Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe

Filesize
1.5MB

MD5
cd33f6e84ebfe15dab41be1319122907

SHA1
bff44bfcd5d534a2ce2ea8cab944391e7f55abc1

SHA256
db222538ebb97c259d49917f7fdb5f7b38470fe96c38f190d0a2d79bcab1fb7a

SHA512
6e664b00d9b7afb44e5559b7b152a742979c2a132857aa7eb94edb0ff22c75ad193c7eb5bb7dfb8071a79d480985c9b2b16550504632d9086814c10d02168a6b

Download Submit
memory/268-84-0x0000000000000000-mapping.dmp

Download
memory/320-58-0x0000000000000000-mapping.dmp

Download
memory/744-82-0x0000000000000000-mapping.dmp

Download
memory/976-103-0x0000000000000000-mapping.dmp

Download
memory/1060-83-0x0000000000000000-mapping.dmp

Download
memory/1068-95-0x0000000000500000-0x00000000008E4000-memory.dmp

Filesize
3.9MB

Download
memory/1068-92-0x0000000000500000-0x00000000008E4000-memory.dmp

Filesize
3.9MB

Download
memory/1068-91-0x0000000000500000-0x00000000008E4000-memory.dmp

Filesize
3.9MB

Download
memory/1068-90-0x00000000007E2730-mapping.dmp

Download
memory/1068-86-0x0000000000772000-0x00000000008E3000-memory.dmp

Filesize
1.4MB

Download
memory/1068-97-0x0000000000500000-0x00000000008E4000-memory.dmp

Filesize
3.9MB

Download
memory/1068-98-0x0000000000500000-0x00000000008E4000-memory.dmp

Filesize
3.9MB

Download
memory/1080-104-0x0000000000000000-mapping.dmp

Download
memory/1092-77-0x00000000013C0000-0x000000000154C000-memory.dmp

Filesize
1.5MB

Download
memory/1092-75-0x0000000000000000-mapping.dmp

Download
memory/1352-57-0x0000000000000000-mapping.dmp

Download
memory/1356-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1356-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1356-79-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1356-80-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1356-81-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1356-72-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1356-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1356-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1356-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1356-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1356-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1356-64-0x00000000007E2730-mapping.dmp

Download
memory/1356-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1356-73-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/1356-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1496-111-0x00000000007E2730-mapping.dmp

Download
memory/1496-112-0x0000000000440000-0x0000000000824000-memory.dmp

Filesize
3.9MB

Download
memory/1496-113-0x0000000000440000-0x0000000000824000-memory.dmp

Filesize
3.9MB

Download
memory/1496-116-0x0000000000440000-0x0000000000824000-memory.dmp

Filesize
3.9MB

Download
memory/1496-118-0x0000000000440000-0x0000000000824000-memory.dmp

Filesize
3.9MB

Download
memory/1496-119-0x0000000000440000-0x0000000000824000-memory.dmp

Filesize
3.9MB

Download
memory/1672-105-0x0000000000000000-mapping.dmp

Download
memory/1676-99-0x0000000000000000-mapping.dmp

Download
memory/1676-101-0x0000000000060000-0x00000000001EC000-memory.dmp

Filesize
1.5MB

Download
memory/1696-54-0x0000000000E40000-0x0000000000FCC000-memory.dmp

Filesize
1.5MB

Download
memory/1696-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1732-56-0x0000000000000000-mapping.dmp

Download