bitrat | 017ab0c10991b0d3faa2b6fdc43487632418c4f5a337e94f8490233d254ba566

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tst.exe
Size

1.4MB
MD5

3412592c23a9bc93a234c5e25130a71a
SHA1

cad0b43ff636a6d6dbbfbd38e134aa0acda7b052
SHA256

017ab0c10991b0d3faa2b6fdc43487632418c4f5a337e94f8490233d254ba566
SHA512

2076c9ebf616986a5e7a309bc105639abaf1ece7fcc69585457026371353aca82377f70f2903340ed28f40b69f9314c925f2319431d05b0ea527ab4ce0bd75a3
SSDEEP

24576:2ndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkz6Nf6F6j4:gXDFBU2iIBb0xY/6sUYYf56Fu4

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

45.95.168.128:23202

Attributes

communication_password
ed99c23d77796aac877ce1f91481dc28
install_dir
Oracle
install_file
java.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1704-55-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1704-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tst.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Oracle\\java.exe"	tst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

tst.exe

pid process

1704 tst.exe
1704 tst.exe
1704 tst.exe
1704 tst.exe

Suspicious behavior: RenamesItself 27 IoCs

Processes:

tst.exe

pid	process
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe
1704	tst.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tst.exe

description pid process

Token: SeDebugPrivilege 1704 tst.exe
Token: SeShutdownPrivilege 1704 tst.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tst.exe

pid process

1704 tst.exe
1704 tst.exe

description	pid	process
Token: SeDebugPrivilege	1704	tst.exe
Token: SeShutdownPrivilege	1704	tst.exe

C:\Users\Admin\AppData\Local\Temp\tst.exe
"C:\Users\Admin\AppData\Local\Temp\tst.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1704-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1704-55-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1704-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download