bitrat | 9d3975bd3b09d8a3717bf26809d45bd57983de71621c40a94a3d5e99d44aaa82

General

Target

827615424_PDF.exe
Size

300.0MB
MD5

0e20fe4a6b6ae6a93129d7767dab8558
SHA1

ffb19496edae93f3981ab744b0688b881339e3ac
SHA256

ed1babfb5993b76abda6deb0a715042923634b42d2eedc06eaa01b56e06fe100
SHA512

070c95a4e846c82628b3a7a0044bcc9f6360ae4c1fe2fc777c887a43c44f30514af323d693b05c591cd367efd4622b3d36b76f18a53b3d3609ee80cb1913688a
SSDEEP

49152:Vnm4UcmDYIbFaTI39LMK44bFh1DgtJaJk4UUUUUJUUUUUU:x6blbku9Le4bFhuO1UUUUUJUUUUUU

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitone9090.duckdns.org:9090

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

jkgtr.exejkgtr.exe

pid process

2312 jkgtr.exe
2628 jkgtr.exe

pid	process
2312	jkgtr.exe
2628	jkgtr.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2816-139-0x0000000000B00000-0x0000000000EE4000-memory.dmp	upx
behavioral2/memory/2816-140-0x0000000000B00000-0x0000000000EE4000-memory.dmp	upx
behavioral2/memory/2264-147-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2264-148-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2264-149-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2264-150-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2264-151-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2264-154-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5116-165-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5116-166-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

RegAsm.exeRegAsm.exe

pid process

2264 RegAsm.exe
2264 RegAsm.exe
2264 RegAsm.exe
2264 RegAsm.exe
2264 RegAsm.exe
5116 RegAsm.exe

pid	process
2264	RegAsm.exe
2264	RegAsm.exe
2264	RegAsm.exe
2264	RegAsm.exe
2264	RegAsm.exe
5116	RegAsm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

827615424_PDF.exejkgtr.exejkgtr.exe

description	pid	process	target process
PID 4780 set thread context of 2816	4780	827615424_PDF.exe	RegAsm.exe
PID 2312 set thread context of 2264	2312	jkgtr.exe	RegAsm.exe
PID 2628 set thread context of 5116	2628	jkgtr.exe	RegAsm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1088 2816 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2784 schtasks.exe
3604 schtasks.exe
4416 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exeRegAsm.exe

description pid process

Token: SeShutdownPrivilege 2264 RegAsm.exe
Token: SeShutdownPrivilege 5116 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

2264 RegAsm.exe
2264 RegAsm.exe

pid	pid_target	process	target process
1088	2816	WerFault.exe	RegAsm.exe

pid	process
2784	schtasks.exe
3604	schtasks.exe
4416	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	2264	RegAsm.exe
Token: SeShutdownPrivilege	5116	RegAsm.exe

pid	process
2264	RegAsm.exe
2264	RegAsm.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

827615424_PDF.execmd.exejkgtr.execmd.exejkgtr.execmd.exe

description	pid	process	target process
PID 4780 wrote to memory of 3760	4780	827615424_PDF.exe	cmd.exe
PID 4780 wrote to memory of 3760	4780	827615424_PDF.exe	cmd.exe
PID 4780 wrote to memory of 3760	4780	827615424_PDF.exe	cmd.exe
PID 3760 wrote to memory of 4416	3760	cmd.exe	schtasks.exe
PID 3760 wrote to memory of 4416	3760	cmd.exe	schtasks.exe
PID 3760 wrote to memory of 4416	3760	cmd.exe	schtasks.exe
PID 4780 wrote to memory of 3000	4780	827615424_PDF.exe	cmd.exe
PID 4780 wrote to memory of 3000	4780	827615424_PDF.exe	cmd.exe
PID 4780 wrote to memory of 3000	4780	827615424_PDF.exe	cmd.exe
PID 4780 wrote to memory of 2816	4780	827615424_PDF.exe	RegAsm.exe
PID 4780 wrote to memory of 2816	4780	827615424_PDF.exe	RegAsm.exe
PID 4780 wrote to memory of 2816	4780	827615424_PDF.exe	RegAsm.exe
PID 4780 wrote to memory of 2816	4780	827615424_PDF.exe	RegAsm.exe
PID 4780 wrote to memory of 2816	4780	827615424_PDF.exe	RegAsm.exe
PID 4780 wrote to memory of 2816	4780	827615424_PDF.exe	RegAsm.exe
PID 4780 wrote to memory of 2816	4780	827615424_PDF.exe	RegAsm.exe
PID 2312 wrote to memory of 3900	2312	jkgtr.exe	cmd.exe
PID 2312 wrote to memory of 3900	2312	jkgtr.exe	cmd.exe
PID 2312 wrote to memory of 3900	2312	jkgtr.exe	cmd.exe
PID 3900 wrote to memory of 2784	3900	cmd.exe	schtasks.exe
PID 3900 wrote to memory of 2784	3900	cmd.exe	schtasks.exe
PID 3900 wrote to memory of 2784	3900	cmd.exe	schtasks.exe
PID 2312 wrote to memory of 2084	2312	jkgtr.exe	cmd.exe
PID 2312 wrote to memory of 2084	2312	jkgtr.exe	cmd.exe
PID 2312 wrote to memory of 2084	2312	jkgtr.exe	cmd.exe
PID 2312 wrote to memory of 2264	2312	jkgtr.exe	RegAsm.exe
PID 2312 wrote to memory of 2264	2312	jkgtr.exe	RegAsm.exe
PID 2312 wrote to memory of 2264	2312	jkgtr.exe	RegAsm.exe
PID 2312 wrote to memory of 2264	2312	jkgtr.exe	RegAsm.exe
PID 2312 wrote to memory of 2264	2312	jkgtr.exe	RegAsm.exe
PID 2312 wrote to memory of 2264	2312	jkgtr.exe	RegAsm.exe
PID 2312 wrote to memory of 2264	2312	jkgtr.exe	RegAsm.exe
PID 2628 wrote to memory of 1928	2628	jkgtr.exe	cmd.exe
PID 2628 wrote to memory of 1928	2628	jkgtr.exe	cmd.exe
PID 2628 wrote to memory of 1928	2628	jkgtr.exe	cmd.exe
PID 1928 wrote to memory of 3604	1928	cmd.exe	schtasks.exe
PID 1928 wrote to memory of 3604	1928	cmd.exe	schtasks.exe
PID 1928 wrote to memory of 3604	1928	cmd.exe	schtasks.exe
PID 2628 wrote to memory of 2164	2628	jkgtr.exe	cmd.exe
PID 2628 wrote to memory of 2164	2628	jkgtr.exe	cmd.exe
PID 2628 wrote to memory of 2164	2628	jkgtr.exe	cmd.exe
PID 2628 wrote to memory of 5116	2628	jkgtr.exe	RegAsm.exe
PID 2628 wrote to memory of 5116	2628	jkgtr.exe	RegAsm.exe
PID 2628 wrote to memory of 5116	2628	jkgtr.exe	RegAsm.exe
PID 2628 wrote to memory of 5116	2628	jkgtr.exe	RegAsm.exe
PID 2628 wrote to memory of 5116	2628	jkgtr.exe	RegAsm.exe
PID 2628 wrote to memory of 5116	2628	jkgtr.exe	RegAsm.exe
PID 2628 wrote to memory of 5116	2628	jkgtr.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\827615424_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\827615424_PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4416

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\827615424_PDF.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
2⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 556
3⤵
- Program crash
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2816 -ip 2816
1⤵
PID:3268

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jkgtr.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
2⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2784

C:\Users\Admin\AppData\Roaming\jkgtr.exe
C:\Users\Admin\AppData\Roaming\jkgtr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\jkgtr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3604

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\jkgtr.exe" "C:\Users\Admin\AppData\Roaming\jkgtr.exe"
2⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:5116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jkgtr.exe.log

Filesize
520B

MD5
41c37de2b4598f7759f865817dba5f80

SHA1
884ccf344bc2dd409425dc5ace0fd909a5f8cce4

SHA256
427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc

SHA512
a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe

Filesize
300.0MB

MD5
0e20fe4a6b6ae6a93129d7767dab8558

SHA1
ffb19496edae93f3981ab744b0688b881339e3ac

SHA256
ed1babfb5993b76abda6deb0a715042923634b42d2eedc06eaa01b56e06fe100

SHA512
070c95a4e846c82628b3a7a0044bcc9f6360ae4c1fe2fc777c887a43c44f30514af323d693b05c591cd367efd4622b3d36b76f18a53b3d3609ee80cb1913688a

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe

Filesize
296.2MB

MD5
5316da074a055f1d0b90b6c74ce322a6

SHA1
18345906d0cc0dde923e9b83bfa0befa45f2d103

SHA256
214f05d5d8483b63a725716a6e325a4f3b310bc8f1914bf219f0794ef24351c3

SHA512
1cb2b82b55d4c4744634a2f3064f66f64b25d85950d5e6ff63bf9e24829659abe7ce06d75fd173b654002c526263e3b1c3ded67b6333d85836fefc237dec55a3

Download Submit
C:\Users\Admin\AppData\Roaming\jkgtr.exe

Filesize
147.1MB

MD5
ca38de2a7d2215cd30a150fb8258daeb

SHA1
26a226f141b6ef1778d66a545b259c260a3aa564

SHA256
a2bda00a52df204d80bf519f1362625b94d6db297c80a39ceefdda3d02b651dd

SHA512
22413fe523e229828d37956872a877e7782f96b975bbaad774eb03b9d1e302ac41542fbbcd08b92f19cde1c5824dae81faad253b3d7708615689ba58dc86383d

Download Submit
memory/1928-157-0x0000000000000000-mapping.dmp

Download
memory/2084-145-0x0000000000000000-mapping.dmp

Download
memory/2164-159-0x0000000000000000-mapping.dmp

Download
memory/2264-154-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2264-151-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2264-153-0x0000000074C70000-0x0000000074CA9000-memory.dmp

Filesize
228KB

Download
memory/2264-152-0x00000000748D0000-0x0000000074909000-memory.dmp

Filesize
228KB

Download
memory/2264-150-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2264-149-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2264-146-0x0000000000000000-mapping.dmp

Download
memory/2264-147-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2264-148-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2784-144-0x0000000000000000-mapping.dmp

Download
memory/2816-137-0x0000000000000000-mapping.dmp

Download
memory/2816-140-0x0000000000B00000-0x0000000000EE4000-memory.dmp

Filesize
3.9MB

Download
memory/2816-139-0x0000000000B00000-0x0000000000EE4000-memory.dmp

Filesize
3.9MB

Download
memory/3000-136-0x0000000000000000-mapping.dmp

Download
memory/3604-158-0x0000000000000000-mapping.dmp

Download
memory/3760-133-0x0000000000000000-mapping.dmp

Download
memory/3900-143-0x0000000000000000-mapping.dmp

Download
memory/4416-134-0x0000000000000000-mapping.dmp

Download
memory/4780-132-0x00000000003E0000-0x000000000056C000-memory.dmp

Filesize
1.5MB

Download
memory/4780-135-0x0000000005700000-0x0000000005CA4000-memory.dmp

Filesize
5.6MB

Download
memory/5116-160-0x0000000000000000-mapping.dmp

Download
memory/5116-165-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5116-166-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads