bitrat | eb09c48f045d418e00024488257c191305796969d0a2bcd99f84ce5d5e79cc7e

Analysis

max time kernel
152s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2022 17:43

Target

1f3b0c2_comppdf.exe
Size

82KB
MD5

c170b74c3ca105d636876a6f81d17d02
SHA1

aae66cfd3e1b3132e2188e1d229896d1d42493c1
SHA256

74cab4c8f16ad111496aab0e1fb101e25fb7c26cebb79cf6a870c12d318efdda
SHA512

d3b18d6bfc78cb6bf1e61dc81a67f721ad5f806d5c6ffa0de1982ec2602259a4f015046c1ce878d80b586733a54fa844879faba098cb71555ae2f2687587b7e2
SSDEEP

768:t20v/xNDKwkuedmdVKCPhpoj+f5RdNKW:d/xNDKwkvdmdVKCP7owdNr

Score

10^/10

bitrat trojan upx

Family

bitrat

Version

1.38

192.3.76.153:5200

Attributes

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/2816-135-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2816-138-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2816-139-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2816-140-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2816-141-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2816-143-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

CasPol.exe

pid process

2816 CasPol.exe
2816 CasPol.exe
2816 CasPol.exe
2816 CasPol.exe
2816 CasPol.exe
2816 CasPol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1f3b0c2_comppdf.exe

description pid process target process

PID 4688 set thread context of 2816 4688 1f3b0c2_comppdf.exe CasPol.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1f3b0c2_comppdf.exe

pid process

4688 1f3b0c2_comppdf.exe
4688 1f3b0c2_comppdf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1f3b0c2_comppdf.exeCasPol.exe

description pid process

Token: SeDebugPrivilege 4688 1f3b0c2_comppdf.exe
Token: SeShutdownPrivilege 2816 CasPol.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CasPol.exe

pid process

2816 CasPol.exe
2816 CasPol.exe

description	pid	process	target process
PID 4688 set thread context of 2816	4688	1f3b0c2_comppdf.exe	CasPol.exe

pid	process
4688	1f3b0c2_comppdf.exe
4688	1f3b0c2_comppdf.exe

description	pid	process
Token: SeDebugPrivilege	4688	1f3b0c2_comppdf.exe
Token: SeShutdownPrivilege	2816	CasPol.exe

pid	process
2816	CasPol.exe
2816	CasPol.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

1f3b0c2_comppdf.exe

description	pid	process	target process
PID 4688 wrote to memory of 2704	4688	1f3b0c2_comppdf.exe	CasPol.exe
PID 4688 wrote to memory of 2704	4688	1f3b0c2_comppdf.exe	CasPol.exe
PID 4688 wrote to memory of 2704	4688	1f3b0c2_comppdf.exe	CasPol.exe
PID 4688 wrote to memory of 2816	4688	1f3b0c2_comppdf.exe	CasPol.exe
PID 4688 wrote to memory of 2816	4688	1f3b0c2_comppdf.exe	CasPol.exe
PID 4688 wrote to memory of 2816	4688	1f3b0c2_comppdf.exe	CasPol.exe
PID 4688 wrote to memory of 2816	4688	1f3b0c2_comppdf.exe	CasPol.exe
PID 4688 wrote to memory of 2816	4688	1f3b0c2_comppdf.exe	CasPol.exe
PID 4688 wrote to memory of 2816	4688	1f3b0c2_comppdf.exe	CasPol.exe
PID 4688 wrote to memory of 2816	4688	1f3b0c2_comppdf.exe	CasPol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
PID:2704

memory/2816-140-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2816-142-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/2816-147-0x0000000074C60000-0x0000000074C99000-memory.dmp

Filesize
228KB

Download
memory/2816-135-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2816-146-0x00000000748C0000-0x00000000748F9000-memory.dmp

Filesize
228KB

Download
memory/2816-145-0x00000000749F0000-0x0000000074A29000-memory.dmp

Filesize
228KB

Download
memory/2816-144-0x0000000074C60000-0x0000000074C99000-memory.dmp

Filesize
228KB

Download
memory/2816-138-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2816-136-0x00000000007E2730-mapping.dmp

Download
memory/2816-141-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2816-139-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2816-143-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4688-133-0x00007FFBA9210000-0x00007FFBA9CD1000-memory.dmp

Filesize
10.8MB

Download
memory/4688-137-0x00007FFBA9210000-0x00007FFBA9CD1000-memory.dmp

Filesize
10.8MB

Download
memory/4688-132-0x000001F956840000-0x000001F956858000-memory.dmp

Filesize
96KB

Download
memory/4688-134-0x00007FFBA9210000-0x00007FFBA9CD1000-memory.dmp

Filesize
10.8MB

Download