bitrat | cd071b60449984568f35670bcb89e4988f6532be7e6087c9ce7021bc0cc49a56

General

Target

099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe
Size

300.0MB
MD5

1420cfc2bea47d52a937fbea0415baa8
SHA1

8d4ea7755d633dc9cd2f721d951fc17bdf5346d6
SHA256

099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1
SHA512

3546d9569ea5f6d891c42e5e805041fc288fcd78943dee2eef251cd52de1910213cfbe2d71e7386fa3d40d5a27ac3de39293e4e05487113b7cbd32c2dd3bb0c7
SSDEEP

24576:C5gfuhMt53oiTyVl7gyCPUmj15wlutqzKn4QpeuCdEz9aJ3bxKui0HpzYU0:C5+IUbGcq0hz9o3bkj2U

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat6060.duckdns.org:6060

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

dgfr.exedgfr.exe

pid process

1420 dgfr.exe
4104 dgfr.exe

pid	process
1420	dgfr.exe
4104	dgfr.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/1124-139-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral4/memory/1124-140-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral4/memory/1124-141-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral4/memory/1124-142-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral4/memory/1124-143-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral4/memory/1124-148-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral4/memory/4812-155-0x00000000007B0000-0x0000000000B94000-memory.dmp	upx
behavioral4/memory/4812-156-0x00000000007B0000-0x0000000000B94000-memory.dmp	upx
behavioral4/memory/3176-165-0x0000000000600000-0x00000000009E4000-memory.dmp	upx
behavioral4/memory/3176-166-0x0000000000600000-0x00000000009E4000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

vbc.exe

pid process

1124 vbc.exe
1124 vbc.exe
1124 vbc.exe
1124 vbc.exe

pid	process
1124	vbc.exe
1124	vbc.exe
1124	vbc.exe
1124	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exedgfr.exedgfr.exe

description	pid	process	target process
PID 1324 set thread context of 1124	1324	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 1420 set thread context of 4812	1420	dgfr.exe	vbc.exe
PID 4104 set thread context of 3176	4104	dgfr.exe	vbc.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2252 4812 WerFault.exe vbc.exe
1584 4812 WerFault.exe vbc.exe
4220 3176 WerFault.exe vbc.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1900 schtasks.exe
504 schtasks.exe
4364 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeShutdownPrivilege 1124 vbc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exe

pid process

1124 vbc.exe
1124 vbc.exe

pid	pid_target	process	target process
2252	4812	WerFault.exe	vbc.exe
1584	4812	WerFault.exe	vbc.exe
4220	3176	WerFault.exe	vbc.exe

pid	process
1900	schtasks.exe
504	schtasks.exe
4364	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	1124	vbc.exe

pid	process
1124	vbc.exe
1124	vbc.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.execmd.exedgfr.execmd.exedgfr.execmd.exe

description	pid	process	target process
PID 1324 wrote to memory of 2144	1324	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	cmd.exe
PID 1324 wrote to memory of 2144	1324	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	cmd.exe
PID 1324 wrote to memory of 2144	1324	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	cmd.exe
PID 2144 wrote to memory of 4364	2144	cmd.exe	schtasks.exe
PID 2144 wrote to memory of 4364	2144	cmd.exe	schtasks.exe
PID 2144 wrote to memory of 4364	2144	cmd.exe	schtasks.exe
PID 1324 wrote to memory of 5100	1324	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	cmd.exe
PID 1324 wrote to memory of 5100	1324	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	cmd.exe
PID 1324 wrote to memory of 5100	1324	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	cmd.exe
PID 1324 wrote to memory of 1124	1324	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 1324 wrote to memory of 1124	1324	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 1324 wrote to memory of 1124	1324	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 1324 wrote to memory of 1124	1324	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 1324 wrote to memory of 1124	1324	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 1324 wrote to memory of 1124	1324	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 1324 wrote to memory of 1124	1324	099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe	vbc.exe
PID 1420 wrote to memory of 2436	1420	dgfr.exe	cmd.exe
PID 1420 wrote to memory of 2436	1420	dgfr.exe	cmd.exe
PID 1420 wrote to memory of 2436	1420	dgfr.exe	cmd.exe
PID 1420 wrote to memory of 1212	1420	dgfr.exe	cmd.exe
PID 1420 wrote to memory of 1212	1420	dgfr.exe	cmd.exe
PID 1420 wrote to memory of 1212	1420	dgfr.exe	cmd.exe
PID 2436 wrote to memory of 1900	2436	cmd.exe	schtasks.exe
PID 2436 wrote to memory of 1900	2436	cmd.exe	schtasks.exe
PID 2436 wrote to memory of 1900	2436	cmd.exe	schtasks.exe
PID 1420 wrote to memory of 4812	1420	dgfr.exe	vbc.exe
PID 1420 wrote to memory of 4812	1420	dgfr.exe	vbc.exe
PID 1420 wrote to memory of 4812	1420	dgfr.exe	vbc.exe
PID 1420 wrote to memory of 4812	1420	dgfr.exe	vbc.exe
PID 1420 wrote to memory of 4812	1420	dgfr.exe	vbc.exe
PID 1420 wrote to memory of 4812	1420	dgfr.exe	vbc.exe
PID 1420 wrote to memory of 4812	1420	dgfr.exe	vbc.exe
PID 4104 wrote to memory of 2680	4104	dgfr.exe	cmd.exe
PID 4104 wrote to memory of 2680	4104	dgfr.exe	cmd.exe
PID 4104 wrote to memory of 2680	4104	dgfr.exe	cmd.exe
PID 2680 wrote to memory of 504	2680	cmd.exe	schtasks.exe
PID 2680 wrote to memory of 504	2680	cmd.exe	schtasks.exe
PID 2680 wrote to memory of 504	2680	cmd.exe	schtasks.exe
PID 4104 wrote to memory of 3084	4104	dgfr.exe	cmd.exe
PID 4104 wrote to memory of 3084	4104	dgfr.exe	cmd.exe
PID 4104 wrote to memory of 3084	4104	dgfr.exe	cmd.exe
PID 4104 wrote to memory of 3176	4104	dgfr.exe	vbc.exe
PID 4104 wrote to memory of 3176	4104	dgfr.exe	vbc.exe
PID 4104 wrote to memory of 3176	4104	dgfr.exe	vbc.exe
PID 4104 wrote to memory of 3176	4104	dgfr.exe	vbc.exe
PID 4104 wrote to memory of 3176	4104	dgfr.exe	vbc.exe
PID 4104 wrote to memory of 3176	4104	dgfr.exe	vbc.exe
PID 4104 wrote to memory of 3176	4104	dgfr.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe
"C:\Users\Admin\AppData\Local\Temp\099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dgfr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dgfr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4364

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1.exe" "C:\Users\Admin\AppData\Roaming\dgfr.exe"
2⤵
PID:5100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Users\Admin\AppData\Roaming\dgfr.exe
C:\Users\Admin\AppData\Roaming\dgfr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dgfr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dgfr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1900

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dgfr.exe" "C:\Users\Admin\AppData\Roaming\dgfr.exe"
2⤵
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 184
3⤵
- Program crash
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 188
3⤵
- Program crash
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4812 -ip 4812
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4812 -ip 4812
1⤵
PID:1144

C:\Users\Admin\AppData\Roaming\dgfr.exe
C:\Users\Admin\AppData\Roaming\dgfr.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dgfr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\dgfr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:504

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\dgfr.exe" "C:\Users\Admin\AppData\Roaming\dgfr.exe"
2⤵
PID:3084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 188
3⤵
- Program crash
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3176 -ip 3176
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dgfr.exe.log

Filesize
612B

MD5
ca95b0db0b212857216268544c58e741

SHA1
5c2fd4ee1dc02d9412a19454562129f97bf930b5

SHA256
bdcf4429adc6ee689394b8ea1628e98bac4d0b7f8d735e5bf9e96218a41cd6f0

SHA512
c3d83412ec5c6dd7398c7ec0ae73838eed3f9e6e539771066378d74479092bc18f73deac581c3e5f053487eef1ae432a565eec2aa706c7ddf16d5855cb0e70bb

Download Submit
C:\Users\Admin\AppData\Roaming\dgfr.exe

Filesize
300.0MB

MD5
1420cfc2bea47d52a937fbea0415baa8

SHA1
8d4ea7755d633dc9cd2f721d951fc17bdf5346d6

SHA256
099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1

SHA512
3546d9569ea5f6d891c42e5e805041fc288fcd78943dee2eef251cd52de1910213cfbe2d71e7386fa3d40d5a27ac3de39293e4e05487113b7cbd32c2dd3bb0c7

Download Submit
C:\Users\Admin\AppData\Roaming\dgfr.exe

Filesize
300.0MB

MD5
1420cfc2bea47d52a937fbea0415baa8

SHA1
8d4ea7755d633dc9cd2f721d951fc17bdf5346d6

SHA256
099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1

SHA512
3546d9569ea5f6d891c42e5e805041fc288fcd78943dee2eef251cd52de1910213cfbe2d71e7386fa3d40d5a27ac3de39293e4e05487113b7cbd32c2dd3bb0c7

Download Submit
C:\Users\Admin\AppData\Roaming\dgfr.exe

Filesize
300.0MB

MD5
1420cfc2bea47d52a937fbea0415baa8

SHA1
8d4ea7755d633dc9cd2f721d951fc17bdf5346d6

SHA256
099afcdcf586e43f851a0a63d12328f5a44884a711c61c8679a693bd239d51b1

SHA512
3546d9569ea5f6d891c42e5e805041fc288fcd78943dee2eef251cd52de1910213cfbe2d71e7386fa3d40d5a27ac3de39293e4e05487113b7cbd32c2dd3bb0c7

Download Submit
memory/504-161-0x0000000000000000-mapping.dmp

Download
memory/1124-140-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1124-151-0x0000000070FF0000-0x0000000071029000-memory.dmp

Filesize
228KB

Download
memory/1124-139-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1124-168-0x0000000074EA0000-0x0000000074ED9000-memory.dmp

Filesize
228KB

Download
memory/1124-141-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1124-142-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1124-143-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1124-167-0x0000000070FF0000-0x0000000071029000-memory.dmp

Filesize
228KB

Download
memory/1124-138-0x0000000000000000-mapping.dmp

Download
memory/1124-146-0x0000000071330000-0x0000000071369000-memory.dmp

Filesize
228KB

Download
memory/1124-147-0x0000000070FF0000-0x0000000071029000-memory.dmp

Filesize
228KB

Download
memory/1124-148-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1124-159-0x0000000071750000-0x0000000071789000-memory.dmp

Filesize
228KB

Download
memory/1212-150-0x0000000000000000-mapping.dmp

Download
memory/1324-136-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/1324-132-0x00000000005F0000-0x0000000000776000-memory.dmp

Filesize
1.5MB

Download
memory/1324-133-0x00000000050B0000-0x0000000005116000-memory.dmp

Filesize
408KB

Download
memory/1900-152-0x0000000000000000-mapping.dmp

Download
memory/2144-134-0x0000000000000000-mapping.dmp

Download
memory/2436-149-0x0000000000000000-mapping.dmp

Download
memory/2680-160-0x0000000000000000-mapping.dmp

Download
memory/3084-162-0x0000000000000000-mapping.dmp

Download
memory/3176-163-0x0000000000000000-mapping.dmp

Download
memory/3176-165-0x0000000000600000-0x00000000009E4000-memory.dmp

Filesize
3.9MB

Download
memory/3176-166-0x0000000000600000-0x00000000009E4000-memory.dmp

Filesize
3.9MB

Download
memory/4364-135-0x0000000000000000-mapping.dmp

Download
memory/4812-156-0x00000000007B0000-0x0000000000B94000-memory.dmp

Filesize
3.9MB

Download
memory/4812-155-0x00000000007B0000-0x0000000000B94000-memory.dmp

Filesize
3.9MB

Download
memory/4812-153-0x0000000000000000-mapping.dmp

Download
memory/5100-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads