bitrat | adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1

General

Target

adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
Size

47KB
MD5

7b3d705446a11e471cf9f65c0557f60a
SHA1

f4cbd006b13542ee9381bfdbbff25899aad1927b
SHA256

adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1
SHA512

0b6338e69fe7c67cfc230660c04e25baea7a1b0d3cd5b5341d8e714f320ce4211ef6d5a8cb3c50d006a8a0b2aa85b801356dbe536b9f80e4b445f761afcc617f
SSDEEP

768:F00wb76/OQvuoZ1XC/6FTi/wcdNLOlPwZvg4SjI/Ge7mC:FGOvuoZ1XCy14wcu2SjIqC

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

windowsnonbooterminernet.8h.re:63803

Attributes

communication_password
49c0c6521276aefdf9f6763ef24c5c1a
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

pid	process
3412	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
3412	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
3412	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
3412	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

description	pid	process	target process
PID 400 set thread context of 3412	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

pid	process
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exeadeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

description	pid	process
Token: SeDebugPrivilege	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
Token: SeShutdownPrivilege	3412	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

pid	process
3412	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
3412	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

description	pid	process	target process
PID 400 wrote to memory of 224	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	cmd.exe
PID 400 wrote to memory of 224	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	cmd.exe
PID 400 wrote to memory of 224	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	cmd.exe
PID 400 wrote to memory of 3412	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
PID 400 wrote to memory of 3412	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
PID 400 wrote to memory of 3412	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
PID 400 wrote to memory of 3412	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
PID 400 wrote to memory of 3412	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
PID 400 wrote to memory of 3412	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
PID 400 wrote to memory of 3412	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
PID 400 wrote to memory of 3412	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
PID 400 wrote to memory of 3412	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
PID 400 wrote to memory of 3412	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
PID 400 wrote to memory of 3412	400	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe	adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

C:\Users\Admin\AppData\Local\Temp\adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
"C:\Users\Admin\AppData\Local\Temp\adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Copy "C:\Users\Admin\AppData\Local\Temp\adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe"
  2⤵
  - Drops startup file
  PID:224
- C:\Users\Admin\AppData\Local\Temp\adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe
  "C:\Users\Admin\AppData\Local\Temp\adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1.exe

Filesize
47KB

MD5
7b3d705446a11e471cf9f65c0557f60a

SHA1
f4cbd006b13542ee9381bfdbbff25899aad1927b

SHA256
adeac73d9683edb8ce2e8bd1c91211cd35bd1bbb4efae92d392cefd8a04580a1

SHA512
0b6338e69fe7c67cfc230660c04e25baea7a1b0d3cd5b5341d8e714f320ce4211ef6d5a8cb3c50d006a8a0b2aa85b801356dbe536b9f80e4b445f761afcc617f

Download Submit
memory/224-137-0x0000000000000000-mapping.dmp

Download
memory/400-132-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/400-133-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/400-134-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/400-135-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/400-136-0x0000000008B20000-0x0000000008BBC000-memory.dmp

Filesize
624KB

Download
memory/400-138-0x0000000009F20000-0x0000000009F86000-memory.dmp

Filesize
408KB

Download
memory/3412-146-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/3412-151-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/3412-142-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3412-143-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3412-144-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3412-145-0x00000000750E0000-0x0000000075119000-memory.dmp

Filesize
228KB

Download
memory/3412-140-0x0000000000000000-mapping.dmp

Download
memory/3412-147-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/3412-148-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3412-149-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/3412-150-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/3412-141-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3412-152-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/3412-153-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/3412-154-0x00000000750E0000-0x0000000075119000-memory.dmp

Filesize
228KB

Download
memory/3412-155-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/3412-156-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/3412-157-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/3412-158-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/3412-159-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download
memory/3412-160-0x00000000754C0000-0x00000000754F9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads