bitrat | cd071b60449984568f35670bcb89e4988f6532be7e6087c9ce7021bc0cc49a56

General

Target

099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe
Size

300.0MB
MD5

1420cfc2bea47d52a937fbea0415baa8
SHA1

8d4ea7755d633dc9cd2f721d951fc17bdf5346d6
SHA256

099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1
SHA512

3546d9569ea5f6d891c42e5e805041fc288fcd78943dee2eef251cd52de1910213cfbe2d71e7386fa3d40d5a27ac3de39293e4e05487113b7cbd32c2dd3bb0c7
SSDEEP

24576:C5gfuhMt53oiTyVl7gyCPUmj15wlutqzKn4QpeuCdEz9aJ3bxKui0HpzYU0:C5+IUbGcq0hz9o3bkj2U

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat6060.duckdns.org:6060

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

dgfr.exe

pid process

1820 dgfr.exe

pid	process
1820	dgfr.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/memory/2012-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral3/memory/2012-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral3/memory/2012-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral3/memory/2012-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral3/memory/2012-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral3/memory/2012-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral3/memory/2012-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral3/memory/2012-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral3/memory/756-89-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral3/memory/756-90-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

vbc.exevbc.exe

pid process

2012 vbc.exe
2012 vbc.exe
2012 vbc.exe
2012 vbc.exe
756 vbc.exe

pid	process
2012	vbc.exe
2012	vbc.exe
2012	vbc.exe
2012	vbc.exe
756	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exedgfr.exe

description	pid	process	target process
PID 736 set thread context of 2012	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 1820 set thread context of 756	1820	dgfr.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

996 schtasks.exe
1928 schtasks.exe

pid	process
996	schtasks.exe
1928	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2012	vbc.exe
Token: SeShutdownPrivilege	2012	vbc.exe
Token: SeDebugPrivilege	756	vbc.exe
Token: SeShutdownPrivilege	756	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exe

pid process

2012 vbc.exe
2012 vbc.exe

pid	process
2012	vbc.exe
2012	vbc.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.execmd.exetaskeng.exedgfr.execmd.exe

description	pid	process	target process
PID 736 wrote to memory of 980	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	cmd.exe
PID 736 wrote to memory of 980	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	cmd.exe
PID 736 wrote to memory of 980	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	cmd.exe
PID 736 wrote to memory of 980	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	cmd.exe
PID 980 wrote to memory of 1928	980	cmd.exe	schtasks.exe
PID 980 wrote to memory of 1928	980	cmd.exe	schtasks.exe
PID 980 wrote to memory of 1928	980	cmd.exe	schtasks.exe
PID 980 wrote to memory of 1928	980	cmd.exe	schtasks.exe
PID 736 wrote to memory of 2044	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	cmd.exe
PID 736 wrote to memory of 2044	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	cmd.exe
PID 736 wrote to memory of 2044	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	cmd.exe
PID 736 wrote to memory of 2044	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	cmd.exe
PID 736 wrote to memory of 2012	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 736 wrote to memory of 2012	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 736 wrote to memory of 2012	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 736 wrote to memory of 2012	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 736 wrote to memory of 2012	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 736 wrote to memory of 2012	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 736 wrote to memory of 2012	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 736 wrote to memory of 2012	736	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 1948 wrote to memory of 1820	1948	taskeng.exe	dgfr.exe
PID 1948 wrote to memory of 1820	1948	taskeng.exe	dgfr.exe
PID 1948 wrote to memory of 1820	1948	taskeng.exe	dgfr.exe
PID 1948 wrote to memory of 1820	1948	taskeng.exe	dgfr.exe
PID 1820 wrote to memory of 1408	1820	dgfr.exe	cmd.exe
PID 1820 wrote to memory of 1408	1820	dgfr.exe	cmd.exe
PID 1820 wrote to memory of 1408	1820	dgfr.exe	cmd.exe
PID 1820 wrote to memory of 1408	1820	dgfr.exe	cmd.exe
PID 1820 wrote to memory of 1664	1820	dgfr.exe	cmd.exe
PID 1820 wrote to memory of 1664	1820	dgfr.exe	cmd.exe
PID 1820 wrote to memory of 1664	1820	dgfr.exe	cmd.exe
PID 1820 wrote to memory of 1664	1820	dgfr.exe	cmd.exe
PID 1408 wrote to memory of 996	1408	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 996	1408	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 996	1408	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 996	1408	cmd.exe	schtasks.exe
PID 1820 wrote to memory of 756	1820	dgfr.exe	vbc.exe
PID 1820 wrote to memory of 756	1820	dgfr.exe	vbc.exe
PID 1820 wrote to memory of 756	1820	dgfr.exe	vbc.exe
PID 1820 wrote to memory of 756	1820	dgfr.exe	vbc.exe
PID 1820 wrote to memory of 756	1820	dgfr.exe	vbc.exe
PID 1820 wrote to memory of 756	1820	dgfr.exe	vbc.exe
PID 1820 wrote to memory of 756	1820	dgfr.exe	vbc.exe
PID 1820 wrote to memory of 756	1820	dgfr.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe
"C:\Users\Admin\AppData\Local\Temp\099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dgfr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dgfr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1928

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe" "C:\Users\Admin\AppData\Roaming\dgfr.exe"
2⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\system32\taskeng.exe
taskeng.exe {C3C16FB2-E261-46A7-98B3-5B9B6899453E} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Roaming\dgfr.exe
C:\Users\Admin\AppData\Roaming\dgfr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dgfr.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dgfr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:996

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dgfr.exe" "C:\Users\Admin\AppData\Roaming\dgfr.exe"
3⤵
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dgfr.exe

Filesize
300.0MB

MD5
1420cfc2bea47d52a937fbea0415baa8

SHA1
8d4ea7755d633dc9cd2f721d951fc17bdf5346d6

SHA256
099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1

SHA512
3546d9569ea5f6d891c42e5e805041fc288fcd78943dee2eef251cd52de1910213cfbe2d71e7386fa3d40d5a27ac3de39293e4e05487113b7cbd32c2dd3bb0c7

Download Submit
C:\Users\Admin\AppData\Roaming\dgfr.exe

Filesize
300.0MB

MD5
1420cfc2bea47d52a937fbea0415baa8

SHA1
8d4ea7755d633dc9cd2f721d951fc17bdf5346d6

SHA256
099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1

SHA512
3546d9569ea5f6d891c42e5e805041fc288fcd78943dee2eef251cd52de1910213cfbe2d71e7386fa3d40d5a27ac3de39293e4e05487113b7cbd32c2dd3bb0c7

Download Submit
memory/736-55-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/736-54-0x0000000000990000-0x0000000000B16000-memory.dmp

Filesize
1.5MB

Download
memory/756-90-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/756-89-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/756-84-0x00000000007E2730-mapping.dmp

Download
memory/980-56-0x0000000000000000-mapping.dmp

Download
memory/996-78-0x0000000000000000-mapping.dmp

Download
memory/1408-76-0x0000000000000000-mapping.dmp

Download
memory/1664-77-0x0000000000000000-mapping.dmp

Download
memory/1820-74-0x0000000000DE0000-0x0000000000F66000-memory.dmp

Filesize
1.5MB

Download
memory/1820-72-0x0000000000000000-mapping.dmp

Download
memory/1928-57-0x0000000000000000-mapping.dmp

Download
memory/2012-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-64-0x00000000007E2730-mapping.dmp

Download
memory/2012-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2012-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2044-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads