bitrat | 5d96c7e165399a26f874e14e20ab5277914f4fceeda523a2e2c805a9d8047a15

General

Target

SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
Size

12KB
MD5

6cf48390a34ca29ca93ed9d1233a867b
SHA1

91be3e627987d930bb19bd47a23fce1cfa2c7775
SHA256

5d96c7e165399a26f874e14e20ab5277914f4fceeda523a2e2c805a9d8047a15
SHA512

160dedaa9c589386ff759cfa457da10d442b520e17e091243ed7a33cf9b7eff30fd7b170343082e770465691503e1722564ca8687dd006d8f1285dd1222faf7b
SSDEEP

192:X3LbBdjbp21sijBFR1TTgJMRqIcuuufNva:n3B5bpynTTEKRdN

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

37.139.128.233:3569

Attributes

communication_password
ce952068942604a6d6df06ed5002fad6
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jkxkjn = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ngbxl\\Jkxkjn.exe\""	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe

pid	process
7292	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
7292	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
7292	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
7292	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
7292	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe

description	pid	process	target process
PID 1540 set thread context of 7292	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

6416 powershell.exe
6416 powershell.exe

pid	process
6416	powershell.exe
6416	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exepowershell.exeSecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe

description	pid	process
Token: SeDebugPrivilege	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
Token: SeDebugPrivilege	6416	powershell.exe
Token: SeShutdownPrivilege	7292	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe

pid process

7292 SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
7292 SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe

description	pid	process	target process
PID 1540 wrote to memory of 6416	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	powershell.exe
PID 1540 wrote to memory of 6416	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	powershell.exe
PID 1540 wrote to memory of 6416	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	powershell.exe
PID 1540 wrote to memory of 7292	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
PID 1540 wrote to memory of 7292	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
PID 1540 wrote to memory of 7292	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
PID 1540 wrote to memory of 7292	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
PID 1540 wrote to memory of 7292	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
PID 1540 wrote to memory of 7292	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
PID 1540 wrote to memory of 7292	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
PID 1540 wrote to memory of 7292	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
PID 1540 wrote to memory of 7292	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
PID 1540 wrote to memory of 7292	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
PID 1540 wrote to memory of 7292	1540	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe	SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6416

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Heur.IEC.908d4036d15.26473.7906.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:7292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1540-132-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/1540-133-0x00000000050B0000-0x0000000005654000-memory.dmp

Filesize
5.6MB

Download
memory/1540-134-0x0000000004C40000-0x0000000004CD2000-memory.dmp

Filesize
584KB

Download
memory/1540-135-0x0000000004C30000-0x0000000004C3A000-memory.dmp

Filesize
40KB

Download
memory/1540-136-0x0000000006350000-0x0000000006372000-memory.dmp

Filesize
136KB

Download
memory/6416-137-0x0000000000000000-mapping.dmp

Download
memory/6416-138-0x0000000000D70000-0x0000000000DA6000-memory.dmp

Filesize
216KB

Download
memory/6416-139-0x0000000004C20000-0x0000000005248000-memory.dmp

Filesize
6.2MB

Download
memory/6416-140-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/6416-141-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/6416-142-0x0000000005B00000-0x0000000005B1E000-memory.dmp

Filesize
120KB

Download
memory/6416-143-0x00000000072F0000-0x000000000796A000-memory.dmp

Filesize
6.5MB

Download
memory/6416-144-0x0000000005FF0000-0x000000000600A000-memory.dmp

Filesize
104KB

Download
memory/7292-145-0x0000000000000000-mapping.dmp

Download
memory/7292-146-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/7292-147-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/7292-148-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/7292-149-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/7292-150-0x0000000074A40000-0x0000000074A79000-memory.dmp

Filesize
228KB

Download
memory/7292-151-0x0000000074DE0000-0x0000000074E19000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads