bitrat | a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5

Analysis

max time kernel
151s
max time network
138s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe
Size

1.9MB
MD5

496a7890c6f1d31f10acb4f36805e6ca
SHA1

86da741420c2e972969133caf44e71d3bcbd58b5
SHA256

a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5
SHA512

6c0dffb8361ae471cc8c2b0052f8589d70f0eee6e021aeb3970c97880723ee645bc8be40364889d61de19c15f2ba0300d5bb547d98233f8f45ef59dc092ec317
SSDEEP

49152:GT/3WwVnX/4lq1zxD6foJFxxjM6GHRyc12E4ltc+aa8V:G6wVnX1y+xxjen1KTRs

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.34

87.78.165.108:25625

Attributes

communication_password
536f868c09cfbc81399401da424e42e6
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

P402.Hermes.RE_4.exe

pid process

1976 P402.Hermes.RE_4.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

P402.Hermes.RE_4.exe

pid process

1976 P402.Hermes.RE_4.exe
1976 P402.Hermes.RE_4.exe
1976 P402.Hermes.RE_4.exe
1976 P402.Hermes.RE_4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1976	P402.Hermes.RE_4.exe

pid	process
1976	P402.Hermes.RE_4.exe
1976	P402.Hermes.RE_4.exe
1976	P402.Hermes.RE_4.exe
1976	P402.Hermes.RE_4.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe

pid	process
1160	a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe
1160	a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe
1160	a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exeP402.Hermes.RE_4.exe

description	pid	process
Token: SeDebugPrivilege	1160	a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe
Token: SeDebugPrivilege	1976	P402.Hermes.RE_4.exe
Token: SeShutdownPrivilege	1976	P402.Hermes.RE_4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

P402.Hermes.RE_4.exe

pid process

1976 P402.Hermes.RE_4.exe
1976 P402.Hermes.RE_4.exe

pid	process
1976	P402.Hermes.RE_4.exe
1976	P402.Hermes.RE_4.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe

description	pid	process	target process
PID 1160 wrote to memory of 1976	1160	a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe	P402.Hermes.RE_4.exe
PID 1160 wrote to memory of 1976	1160	a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe	P402.Hermes.RE_4.exe
PID 1160 wrote to memory of 1976	1160	a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe	P402.Hermes.RE_4.exe
PID 1160 wrote to memory of 1976	1160	a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe	P402.Hermes.RE_4.exe

C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe
"C:\Users\Admin\AppData\Local\Temp\a51282512c747e4696968ba0d7cac12da4c0ee23ed9bd8f9162b44cd6feae6b5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe
"C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\P402.Hermes.RE_4.exe

Filesize
3.8MB

MD5
14b0626141c4e627aeb5d13411277d83

SHA1
ec8f50af65560de5a63d1174809ed9cec31191cf

SHA256
d9d78c09e03266f7718b049f360aa7620a75e765811373f7e38e00bc962f9e6e

SHA512
f0beab68df89e93063b1409578d0e086d554a6d505c1e26f0cc5485ddad5e7108006173ad9fa000700a64471439998c3f895acc6f2c8e08418f1bea3ff13a027

Download Submit
memory/1160-54-0x0000000001010000-0x00000000011FE000-memory.dmp

Filesize
1.9MB

Download
memory/1160-55-0x0000000000F56000-0x0000000000F75000-memory.dmp

Filesize
124KB

Download
memory/1160-56-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

Filesize
8KB

Download
memory/1160-60-0x0000000000F56000-0x0000000000F75000-memory.dmp

Filesize
124KB

Download
memory/1976-57-0x0000000000000000-mapping.dmp

Download
memory/1976-59-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download