bitrat | cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2022 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe
Size

733KB
MD5

4f7199a3cf8228b7a1ea06157e033f1f
SHA1

9c3dc25dc1baf8bea180d0ef6cdc7ecc19de3b5d
SHA256

cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8
SHA512

3be7a80b373c81fc16637ad99ec84d185c3e2bb3e60c540f0dd60fbe1c85407caaf1ec2993a1114856a466fdb3763132e5d501bb5d8f16c179bad91322294d7e
SSDEEP

12288:vE8us5hZIRFFRs4nmHQqtZua/3RvWEmhj+wzhd:MJ8ZIRFFRPnmDzuUmYYh

Score

10^/10

bitrat modiloader persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

winery.nsupdate.info:5877

Attributes

communication_password
e5ff7c52fb3501484ea7ca8641803415
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 63 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1436-132-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-134-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-135-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-136-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-137-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-138-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-139-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-140-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-141-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-142-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-143-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-144-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-145-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-146-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-147-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-148-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-150-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-149-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-152-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-151-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-153-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-154-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-155-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-156-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-157-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-158-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-159-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-160-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-161-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-162-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-163-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-164-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-165-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-166-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-167-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-168-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-169-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-170-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-171-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-172-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-173-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-174-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-175-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-176-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-177-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-178-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-179-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-180-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-181-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-182-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-183-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-184-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-185-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-186-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-187-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-188-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-189-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-190-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-191-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-192-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-193-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-194-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2
behavioral2/memory/1436-195-0x00000000022E0000-0x000000000230B000-memory.dmp	modiloader_stage2

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3096-336-0x0000000010410000-0x00000000107F4000-memory.dmp	upx
behavioral2/memory/3096-338-0x0000000010410000-0x00000000107F4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Retefpad = "C:\\Users\\Public\\Libraries\\dapfeteR.url"	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

colorcpl.exe

pid process

3096 colorcpl.exe
3096 colorcpl.exe
3096 colorcpl.exe
3096 colorcpl.exe
3096 colorcpl.exe

pid	process
3096	colorcpl.exe
3096	colorcpl.exe
3096	colorcpl.exe
3096	colorcpl.exe
3096	colorcpl.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe

pid	process
1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe
1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

colorcpl.exe

description pid process

Token: SeShutdownPrivilege 3096 colorcpl.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

colorcpl.exe

pid process

3096 colorcpl.exe
3096 colorcpl.exe

description	pid	process
Token: SeShutdownPrivilege	3096	colorcpl.exe

pid	process
3096	colorcpl.exe
3096	colorcpl.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe

description	pid	process	target process
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe
PID 1436 wrote to memory of 3096	1436	cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe	colorcpl.exe

C:\Users\Admin\AppData\Local\Temp\cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe
"C:\Users\Admin\AppData\Local\Temp\cafb7d353313362efa3d09e9a4345c681bba522185870ceb930216d54ffe00c8.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1436-132-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-134-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-135-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-136-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-137-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-138-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-139-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-140-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-141-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-142-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-143-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-144-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-145-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-146-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-147-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-148-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-150-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-149-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-152-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-151-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-153-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-154-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-155-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-156-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-157-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-158-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-159-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-160-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-161-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-162-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-163-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-164-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-165-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-166-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-167-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-168-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-169-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-170-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-171-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-172-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-173-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-174-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-175-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-176-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-177-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-178-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-179-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-180-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-181-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-182-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-183-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-184-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-185-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-186-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-187-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-188-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-189-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-190-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-191-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-192-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-193-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-194-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/1436-195-0x00000000022E0000-0x000000000230B000-memory.dmp

Filesize
172KB

Download
memory/3096-209-0x0000000000000000-mapping.dmp

Download
memory/3096-336-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download
memory/3096-337-0x0000000075A10000-0x0000000075A49000-memory.dmp

Filesize
228KB

Download
memory/3096-338-0x0000000010410000-0x00000000107F4000-memory.dmp

Filesize
3.9MB

Download