bitrat | 67cda8c74585c33e1aaf255bf9283b781c2f4e15b7833ea02c3a725bc4ef9ea1

General

Target

3164_23_147_PDF.exe
Size

300.0MB
MD5

19ee0757397eff0b8cafa381c9c3737b
SHA1

801fbacb698b52aca0448fcbd6ab44d921ff6c3d
SHA256

50c0fd86906d4b61410326cde1aaf9c114684287b0b165e785873b599f6dd9c3
SHA512

ef09f79119e3f55d4e85b83a2586d41b2e4156ed2a7d28784aa880218d8c1dc623268b4232b22e254bcd91aa9d202e7a044d4d25ec289ab08b3228197beed312
SSDEEP

98304:FwcVlQ8/lL2LLeZWL0kDdtJRLum/quFUD1nUzsg:ycX1VCLeen1UpU

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bit9090.duckdns.org:9090

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

nbitt9090.execvdafs.exe

pid process

5004 nbitt9090.exe
3124 cvdafs.exe

pid	process
5004	nbitt9090.exe
3124	cvdafs.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1304-140-0x0000000000610000-0x00000000009F4000-memory.dmp	upx
behavioral2/memory/1304-141-0x0000000000610000-0x00000000009F4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe	upx
C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe	upx
behavioral2/memory/5004-146-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/5004-149-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3616-158-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3616-159-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3616-160-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3616-161-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3164_23_147_PDF.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3164_23_147_PDF.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

nbitt9090.exe

pid process

5004 nbitt9090.exe
5004 nbitt9090.exe
5004 nbitt9090.exe
5004 nbitt9090.exe

pid	process
5004	nbitt9090.exe
5004	nbitt9090.exe
5004	nbitt9090.exe
5004	nbitt9090.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3164_23_147_PDF.execvdafs.exe

description	pid	process	target process
PID 1216 set thread context of 1304	1216	3164_23_147_PDF.exe	vbc.exe
PID 3124 set thread context of 3616	3124	cvdafs.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5012 1304 WerFault.exe vbc.exe
5000 1304 WerFault.exe vbc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3200 schtasks.exe
4980 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nbitt9090.exe

description pid process

Token: SeShutdownPrivilege 5004 nbitt9090.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

nbitt9090.exe

pid process

5004 nbitt9090.exe
5004 nbitt9090.exe

pid	pid_target	process	target process
5012	1304	WerFault.exe	vbc.exe
5000	1304	WerFault.exe	vbc.exe

pid	process
3200	schtasks.exe
4980	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	5004	nbitt9090.exe

pid	process
5004	nbitt9090.exe
5004	nbitt9090.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

3164_23_147_PDF.execmd.exevbc.execvdafs.execmd.exe

description	pid	process	target process
PID 1216 wrote to memory of 864	1216	3164_23_147_PDF.exe	cmd.exe
PID 1216 wrote to memory of 864	1216	3164_23_147_PDF.exe	cmd.exe
PID 1216 wrote to memory of 864	1216	3164_23_147_PDF.exe	cmd.exe
PID 864 wrote to memory of 3200	864	cmd.exe	schtasks.exe
PID 864 wrote to memory of 3200	864	cmd.exe	schtasks.exe
PID 864 wrote to memory of 3200	864	cmd.exe	schtasks.exe
PID 1216 wrote to memory of 4668	1216	3164_23_147_PDF.exe	cmd.exe
PID 1216 wrote to memory of 4668	1216	3164_23_147_PDF.exe	cmd.exe
PID 1216 wrote to memory of 4668	1216	3164_23_147_PDF.exe	cmd.exe
PID 1216 wrote to memory of 1304	1216	3164_23_147_PDF.exe	vbc.exe
PID 1216 wrote to memory of 1304	1216	3164_23_147_PDF.exe	vbc.exe
PID 1216 wrote to memory of 1304	1216	3164_23_147_PDF.exe	vbc.exe
PID 1216 wrote to memory of 1304	1216	3164_23_147_PDF.exe	vbc.exe
PID 1216 wrote to memory of 1304	1216	3164_23_147_PDF.exe	vbc.exe
PID 1216 wrote to memory of 1304	1216	3164_23_147_PDF.exe	vbc.exe
PID 1216 wrote to memory of 1304	1216	3164_23_147_PDF.exe	vbc.exe
PID 1304 wrote to memory of 5012	1304	vbc.exe	WerFault.exe
PID 1304 wrote to memory of 5012	1304	vbc.exe	WerFault.exe
PID 1304 wrote to memory of 5012	1304	vbc.exe	WerFault.exe
PID 1216 wrote to memory of 5004	1216	3164_23_147_PDF.exe	nbitt9090.exe
PID 1216 wrote to memory of 5004	1216	3164_23_147_PDF.exe	nbitt9090.exe
PID 1216 wrote to memory of 5004	1216	3164_23_147_PDF.exe	nbitt9090.exe
PID 3124 wrote to memory of 4012	3124	cvdafs.exe	cmd.exe
PID 3124 wrote to memory of 4012	3124	cvdafs.exe	cmd.exe
PID 3124 wrote to memory of 4012	3124	cvdafs.exe	cmd.exe
PID 4012 wrote to memory of 4980	4012	cmd.exe	schtasks.exe
PID 4012 wrote to memory of 4980	4012	cmd.exe	schtasks.exe
PID 4012 wrote to memory of 4980	4012	cmd.exe	schtasks.exe
PID 3124 wrote to memory of 2856	3124	cvdafs.exe	cmd.exe
PID 3124 wrote to memory of 2856	3124	cvdafs.exe	cmd.exe
PID 3124 wrote to memory of 2856	3124	cvdafs.exe	cmd.exe
PID 3124 wrote to memory of 3616	3124	cvdafs.exe	vbc.exe
PID 3124 wrote to memory of 3616	3124	cvdafs.exe	vbc.exe
PID 3124 wrote to memory of 3616	3124	cvdafs.exe	vbc.exe
PID 3124 wrote to memory of 3616	3124	cvdafs.exe	vbc.exe
PID 3124 wrote to memory of 3616	3124	cvdafs.exe	vbc.exe
PID 3124 wrote to memory of 3616	3124	cvdafs.exe	vbc.exe
PID 3124 wrote to memory of 3616	3124	cvdafs.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\3164_23_147_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\3164_23_147_PDF.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3200

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\3164_23_147_PDF.exe" "C:\Users\Admin\AppData\Roaming\cvdafs.exe"
2⤵
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 188
3⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 188
3⤵
- Program crash
PID:5000

C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe
"C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1304 -ip 1304
1⤵
PID:4972

C:\Users\Admin\AppData\Roaming\cvdafs.exe
C:\Users\Admin\AppData\Roaming\cvdafs.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\cvdafs.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4980

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\cvdafs.exe" "C:\Users\Admin\AppData\Roaming\cvdafs.exe"
2⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe

Filesize
1.4MB

MD5
d2d601c4f27a42233076ebc6e05f07f0

SHA1
5a0b561f883b88ca3d4d9bdba5143f103ea83d14

SHA256
dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

SHA512
f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbitt9090.exe

Filesize
1.4MB

MD5
d2d601c4f27a42233076ebc6e05f07f0

SHA1
5a0b561f883b88ca3d4d9bdba5143f103ea83d14

SHA256
dc9fcc38f0fad625bdd15fa418178cbcd8783e8c66bccf1bd300ead64c9e05eb

SHA512
f28db947332f2151de3a7b24101788afaeb3a00a63221dd20b745bd4ffe1ca495c6a4ac148ff8925635b720ae7c8bc586ab697622097a78a0e2588aa9d70b077

Download Submit
C:\Users\Admin\AppData\Roaming\cvdafs.exe

Filesize
129.2MB

MD5
b44211bf75dc8edaf5d4b5ddf202578d

SHA1
3e4fd76a1218623a9d56f1568d774d7fa46324fa

SHA256
a607203b8900aa5f2f6e057bd39b18c6470ddfe00aef6434d167f61a6f72d72c

SHA512
cbe2129406980a51cd4363e1f3cd19b5a56edb51205f6bfdc6e4ee2ac27c28f6e795353176c70aedd8eab3ceac138d9ef306b7117bd80ff835ae6cd0d73250b6

Download Submit
C:\Users\Admin\AppData\Roaming\cvdafs.exe

Filesize
152.7MB

MD5
aa6f6578dfa59933beeb4cf6928434e6

SHA1
a3003ac331d3e10289023dd4e11da242500d1937

SHA256
c6948680d8b59cfcfcf11ea6a1bf45ca66d6e4645b597df53560272db99dc90a

SHA512
ce785bdba11886902b3b60c02c7a2071dbb979d3111895b5c6d4226d3efbebdbf6a23578525e066c9f67834c124484fe5b87459642a3573de0764367c8bd4855

Download Submit
memory/864-134-0x0000000000000000-mapping.dmp

Download
memory/1216-136-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/1216-132-0x0000000000590000-0x0000000000886000-memory.dmp

Filesize
3.0MB

Download
memory/1216-133-0x0000000005240000-0x00000000052A6000-memory.dmp

Filesize
408KB

Download
memory/1304-138-0x0000000000000000-mapping.dmp

Download
memory/1304-140-0x0000000000610000-0x00000000009F4000-memory.dmp

Filesize
3.9MB

Download
memory/1304-141-0x0000000000610000-0x00000000009F4000-memory.dmp

Filesize
3.9MB

Download
memory/2856-156-0x0000000000000000-mapping.dmp

Download
memory/3200-135-0x0000000000000000-mapping.dmp

Download
memory/3616-160-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3616-159-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3616-161-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3616-158-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3616-157-0x0000000000000000-mapping.dmp

Download
memory/4012-154-0x0000000000000000-mapping.dmp

Download
memory/4668-137-0x0000000000000000-mapping.dmp

Download
memory/4980-155-0x0000000000000000-mapping.dmp

Download
memory/5004-150-0x0000000075440000-0x0000000075479000-memory.dmp

Filesize
228KB

Download
memory/5004-153-0x0000000075160000-0x0000000075199000-memory.dmp

Filesize
228KB

Download
memory/5004-149-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5004-148-0x0000000075440000-0x0000000075479000-memory.dmp

Filesize
228KB

Download
memory/5004-147-0x00000000750A0000-0x00000000750D9000-memory.dmp

Filesize
228KB

Download
memory/5004-146-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5004-143-0x0000000000000000-mapping.dmp

Download
memory/5012-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads