bitrat | de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2

General

Target

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
Size

4.8MB
MD5

94a2ebdbfca94ca574691295689b6b9c
SHA1

92fff5c4d9f2a4427a3b5317b3391d40197f5f6a
SHA256

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2
SHA512

6dc1b78178e31219fa02635879b928622fa40bb7218dcf4cacc5490f47a25060c645ee21b4d0e72b32f25a82928ac43138b08faceba2a195d84cfeb5979a3675
SSDEEP

98304:lRA8Y/PdoOGmGHpmxf42MwZMHGI0T4Nu4lfPGb/wJGo+cvw:TAB1h6e42MW4C4M4Jeb6R

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.34

C2

193.239.147.77:6505

Attributes

communication_password
c398335f85d477cb4802c03bad3916fd
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

pid	process
1776	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
1776	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
1776	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
1776	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

description	pid	process	target process
PID 772 set thread context of 1776	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1748 schtasks.exe

pid	process
1748	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

description	pid	process
Token: SeDebugPrivilege	1776	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
Token: SeShutdownPrivilege	1776	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

pid	process
1776	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
1776	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
"C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EExmhb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A8C.tmp"
2⤵
- Creates scheduled task(s)
PID:1748

C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
"C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9A8C.tmp

Filesize
1KB

MD5
0aad263df4e5f31d7c60a49fc87a9241

SHA1
a7e1ff528ccf2bebb1a408ae03edff7f4a1421b3

SHA256
d762ba7da1b1526085f23099d44b11ca82a1568de1966d8237caa71d93a9c2db

SHA512
8e88caef29efedd916013367eb16e60cdd01c4379e0e4e451456c7299d23519cee2d54a44e3b33f9e0271bd3295c8c856d66f16cd631de7e8c0a773c425a9921

Download Submit
memory/772-54-0x0000000000F60000-0x0000000001428000-memory.dmp

Filesize
4.8MB

Download
memory/772-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/772-56-0x0000000009470000-0x000000000947A000-memory.dmp

Filesize
40KB

Download
memory/772-57-0x000000000F300000-0x000000000F6F0000-memory.dmp

Filesize
3.9MB

Download
memory/1748-58-0x0000000000000000-mapping.dmp

Download
memory/1776-63-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1776-61-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1776-60-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1776-65-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1776-67-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1776-69-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1776-70-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1776-72-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1776-73-0x0000000000689A84-mapping.dmp

Download
memory/1776-75-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1776-77-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1776-78-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download

description	pid	process	target process
PID 772 wrote to memory of 1748	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	schtasks.exe
PID 772 wrote to memory of 1748	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	schtasks.exe
PID 772 wrote to memory of 1748	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	schtasks.exe
PID 772 wrote to memory of 1748	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	schtasks.exe
PID 772 wrote to memory of 1776	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 772 wrote to memory of 1776	772	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads