bitrat | 76f4028be569b642d396b8e8936779493280aabcc3329f9058c19e78936c113e

General

Target

04d43d6b0a1277e7d1e93415f1aa6a1e.exe
Size

9.9MB
MD5

04d43d6b0a1277e7d1e93415f1aa6a1e
SHA1

35692f031bf902a62a5b09d4437fe35c7bbdc0b4
SHA256

76f4028be569b642d396b8e8936779493280aabcc3329f9058c19e78936c113e
SHA512

5c8e27422ee6d73192d1caa3ab1535119e6d2667a28ac6b094a1747ac129e66e2a9122ea3c1f86ad5193b7b2beefa69c50224c558f0400893d729d25c1434dc3
SSDEEP

196608:Whld/yJZn3gqkuSJHA2V6dQmRrdA6lakaqdVT8UdyDAS:yldKJZ3zkuIg2odQOlawdqUmAS

Score

10^/10

bitrat evasion persistence themida trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

79.137.206.203:7777

Attributes

communication_password
8e930496927757aac0dbd2438cb3f4f6
install_dir
%APPDATA%
install_file
ROCKEEETS
tor_process
tls

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

INST.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ INST.exe
Executes dropped EXE 1 IoCs

Processes:

INST.exe

pid process

3660 INST.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	INST.exe

pid	process
3660	INST.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

INST.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	INST.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	INST.exe

Loads dropped DLL 2 IoCs

Processes:

04d43d6b0a1277e7d1e93415f1aa6a1e.exe

pid process

4868 04d43d6b0a1277e7d1e93415f1aa6a1e.exe
4868 04d43d6b0a1277e7d1e93415f1aa6a1e.exe

pid	process
4868	04d43d6b0a1277e7d1e93415f1aa6a1e.exe
4868	04d43d6b0a1277e7d1e93415f1aa6a1e.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\INST.exe	themida
C:\Users\Admin\AppData\Local\Temp\INST.exe	themida
behavioral2/memory/3660-143-0x00000000004A0000-0x0000000000F55000-memory.dmp	themida
behavioral2/memory/3660-144-0x00000000004A0000-0x0000000000F55000-memory.dmp	themida
behavioral2/memory/3660-145-0x00000000004A0000-0x0000000000F55000-memory.dmp	themida
behavioral2/memory/3660-146-0x00000000004A0000-0x0000000000F55000-memory.dmp	themida
behavioral2/memory/3660-148-0x00000000004A0000-0x0000000000F55000-memory.dmp	themida
behavioral2/memory/3660-149-0x00000000004A0000-0x0000000000F55000-memory.dmp	themida
behavioral2/memory/3660-150-0x00000000004A0000-0x0000000000F55000-memory.dmp	themida
behavioral2/memory/3660-151-0x00000000004A0000-0x0000000000F55000-memory.dmp	themida
behavioral2/memory/3660-154-0x00000000004A0000-0x0000000000F55000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

INST.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ROCKEEETS = "C:\\Users\\Admin\\AppData\\Local\\%APPDATA%\\ROCKEEETS䄀"	INST.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ROCKEEETS = "C:\\Users\\Admin\\AppData\\Local\\%APPDATA%\\ROCKEEETS䜀"	INST.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ROCKEEETS = "C:\\Users\\Admin\\AppData\\Local\\%APPDATA%\\ROCKEEETSȀ"	INST.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ROCKEEETS = "C:\\Users\\Admin\\AppData\\Local\\%APPDATA%\\ROCKEEETS餀"	INST.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ROCKEEETS = "C:\\Users\\Admin\\AppData\\Local\\%APPDATA%\\ROCKEEETS"	INST.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

INST.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA INST.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

INST.exe

pid process

3660 INST.exe
3660 INST.exe
3660 INST.exe
3660 INST.exe
3660 INST.exe
3660 INST.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

INST.exe

description pid process

Token: SeShutdownPrivilege 3660 INST.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

INST.exe

pid process

3660 INST.exe
3660 INST.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	INST.exe

pid	process
3660	INST.exe
3660	INST.exe
3660	INST.exe
3660	INST.exe
3660	INST.exe
3660	INST.exe

description	pid	process
Token: SeShutdownPrivilege	3660	INST.exe

pid	process
3660	INST.exe
3660	INST.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

04d43d6b0a1277e7d1e93415f1aa6a1e.exe04d43d6b0a1277e7d1e93415f1aa6a1e.execmd.exe

description	pid	process	target process
PID 1516 wrote to memory of 4868	1516	04d43d6b0a1277e7d1e93415f1aa6a1e.exe	04d43d6b0a1277e7d1e93415f1aa6a1e.exe
PID 1516 wrote to memory of 4868	1516	04d43d6b0a1277e7d1e93415f1aa6a1e.exe	04d43d6b0a1277e7d1e93415f1aa6a1e.exe
PID 4868 wrote to memory of 2040	4868	04d43d6b0a1277e7d1e93415f1aa6a1e.exe	cmd.exe
PID 4868 wrote to memory of 2040	4868	04d43d6b0a1277e7d1e93415f1aa6a1e.exe	cmd.exe
PID 4868 wrote to memory of 1076	4868	04d43d6b0a1277e7d1e93415f1aa6a1e.exe	cmd.exe
PID 4868 wrote to memory of 1076	4868	04d43d6b0a1277e7d1e93415f1aa6a1e.exe	cmd.exe
PID 1076 wrote to memory of 3660	1076	cmd.exe	INST.exe
PID 1076 wrote to memory of 3660	1076	cmd.exe	INST.exe
PID 1076 wrote to memory of 3660	1076	cmd.exe	INST.exe

C:\Users\Admin\AppData\Local\Temp\04d43d6b0a1277e7d1e93415f1aa6a1e.exe
"C:\Users\Admin\AppData\Local\Temp\04d43d6b0a1277e7d1e93415f1aa6a1e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\04d43d6b0a1277e7d1e93415f1aa6a1e.exe
"C:\Users\Admin\AppData\Local\Temp\04d43d6b0a1277e7d1e93415f1aa6a1e.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SYSTEM32\cmd.exe
cmd /c echo %temp%
3⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\INST.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\INST.exe
C:\Users\Admin\AppData\Local\Temp\INST.exe
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INST.exe

Filesize
4.3MB

MD5
c9acdffcc9f0b3e090c3d0db43d94b72

SHA1
fc2a610949cc0c95d57da32015bf91a60dbfae6c

SHA256
7f331d1087613c8fc17e827c391f18c93532ab3f98d5cf99321c14e53bb15859

SHA512
e1bba90fee8a191167ae9825cb1c458fb891deadabd2fa1d0f9a8a1d422fd902bb7ba88b7ae3748be8f16f71cc0dbbd1d09ed7180ffcbdd5e4781be6ad8ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\INST.exe

Filesize
4.3MB

MD5
c9acdffcc9f0b3e090c3d0db43d94b72

SHA1
fc2a610949cc0c95d57da32015bf91a60dbfae6c

SHA256
7f331d1087613c8fc17e827c391f18c93532ab3f98d5cf99321c14e53bb15859

SHA512
e1bba90fee8a191167ae9825cb1c458fb891deadabd2fa1d0f9a8a1d422fd902bb7ba88b7ae3748be8f16f71cc0dbbd1d09ed7180ffcbdd5e4781be6ad8ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\base_library.zip

Filesize
1.0MB

MD5
9a712ff5a82ab516664ee4449d7a8c69

SHA1
3600b3ef4368955e686e76e674f6f6a86769b654

SHA256
63e2585e157512983764fc113b4ce214834f60cce9f0b97167f85ad1e28e0fc0

SHA512
3c9460c3ae84348d3bd7f3f14482e3b27b38d016c9c476688cf1f5454d90244d73d412703758eaecfd8c87d561e2fa556505d7179ce11b5ee55b191d5740f9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\python310.dll

Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\python310.dll

Filesize
4.3MB

MD5
342ba224fe440b585db4e9d2fc9f86cd

SHA1
bfa3d380231166f7c2603ca89a984a5cad9752ab

SHA256
cdb8158dcf4f10517bd73e1334fc354fd98180d4455f29e3df2b0aa699fa2432

SHA512
daa990ff3770a39b778f672f2596ab4050bff9b16bb2222e5712327df82d18f39ac5100e3b592a5db9e88302e6e94c06881fbf61431e7670ff287f7f222254c1

Download Submit
memory/1076-139-0x0000000000000000-mapping.dmp

Download
memory/2040-138-0x0000000000000000-mapping.dmp

Download
memory/3660-144-0x00000000004A0000-0x0000000000F55000-memory.dmp

Filesize
10.7MB

Download
memory/3660-148-0x00000000004A0000-0x0000000000F55000-memory.dmp

Filesize
10.7MB

Download
memory/3660-143-0x00000000004A0000-0x0000000000F55000-memory.dmp

Filesize
10.7MB

Download
memory/3660-156-0x0000000074230000-0x0000000074269000-memory.dmp

Filesize
228KB

Download
memory/3660-145-0x00000000004A0000-0x0000000000F55000-memory.dmp

Filesize
10.7MB

Download
memory/3660-146-0x00000000004A0000-0x0000000000F55000-memory.dmp

Filesize
10.7MB

Download
memory/3660-147-0x0000000076E60000-0x0000000077003000-memory.dmp

Filesize
1.6MB

Download
memory/3660-140-0x0000000000000000-mapping.dmp

Download
memory/3660-149-0x00000000004A0000-0x0000000000F55000-memory.dmp

Filesize
10.7MB

Download
memory/3660-150-0x00000000004A0000-0x0000000000F55000-memory.dmp

Filesize
10.7MB

Download
memory/3660-151-0x00000000004A0000-0x0000000000F55000-memory.dmp

Filesize
10.7MB

Download
memory/3660-152-0x0000000074230000-0x0000000074269000-memory.dmp

Filesize
228KB

Download
memory/3660-153-0x0000000073EF0000-0x0000000073F29000-memory.dmp

Filesize
228KB

Download
memory/3660-154-0x00000000004A0000-0x0000000000F55000-memory.dmp

Filesize
10.7MB

Download
memory/3660-155-0x0000000076E60000-0x0000000077003000-memory.dmp

Filesize
1.6MB

Download
memory/4868-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads