bitrat | de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2

General

Target

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
Size

4.8MB
MD5

94a2ebdbfca94ca574691295689b6b9c
SHA1

92fff5c4d9f2a4427a3b5317b3391d40197f5f6a
SHA256

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2
SHA512

6dc1b78178e31219fa02635879b928622fa40bb7218dcf4cacc5490f47a25060c645ee21b4d0e72b32f25a82928ac43138b08faceba2a195d84cfeb5979a3675
SSDEEP

98304:lRA8Y/PdoOGmGHpmxf42MwZMHGI0T4Nu4lfPGb/wJGo+cvw:TAB1h6e42MW4C4M4Jeb6R

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.34

C2

193.239.147.77:6505

Attributes

communication_password
c398335f85d477cb4802c03bad3916fd
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

pid	process
1696	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
1696	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
1696	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
1696	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

description	pid	process	target process
PID 4868 set thread context of 1696	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2276 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

description pid process

Token: SeShutdownPrivilege 1696 de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

pid	process
2276	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	1696	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

pid	process
1696	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
1696	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

description	pid	process	target process
PID 4868 wrote to memory of 2276	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	schtasks.exe
PID 4868 wrote to memory of 2276	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	schtasks.exe
PID 4868 wrote to memory of 2276	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	schtasks.exe
PID 4868 wrote to memory of 1696	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
PID 4868 wrote to memory of 1696	4868	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe	de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe

C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
"C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EExmhb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4467.tmp"
2⤵
- Creates scheduled task(s)
PID:2276

C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe
"C:\Users\Admin\AppData\Local\Temp\de070619366a56d4a3ae1718712a09a8523f6346a50f306d1a0d173dd2c9aee2.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4467.tmp

Filesize
1KB

MD5
ba365bb9d5c48e32aa3d299d7697c61b

SHA1
f878dc206df5806c7c69360da6e92a2a666d714d

SHA256
6fc9042925a801b824230dea1cce8868a11babf7d1af83f52ea3a28b6f60e117

SHA512
8bf872d8fd6e3f34c38723cba137ed080a5803564a95cc24c8fce4540fe5ae27c032cd065ef5e4c7152e51ba5df9eef6d8ee84c5cd0f6bb66bdd75eb39e1b131

Download Submit
memory/1696-144-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1696-143-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1696-147-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1696-146-0x0000000074DC0000-0x0000000074DF9000-memory.dmp

Filesize
228KB

Download
memory/1696-145-0x0000000074A40000-0x0000000074A79000-memory.dmp

Filesize
228KB

Download
memory/1696-140-0x0000000000000000-mapping.dmp

Download
memory/1696-142-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1696-141-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/2276-138-0x0000000000000000-mapping.dmp

Download
memory/4868-133-0x0000000004F40000-0x0000000004FDC000-memory.dmp

Filesize
624KB

Download
memory/4868-134-0x00000000055A0000-0x0000000005B44000-memory.dmp

Filesize
5.6MB

Download
memory/4868-132-0x00000000000F0000-0x00000000005B8000-memory.dmp

Filesize
4.8MB

Download
memory/4868-137-0x0000000005BB0000-0x0000000005C06000-memory.dmp

Filesize
344KB

Download
memory/4868-136-0x0000000005050000-0x000000000505A000-memory.dmp

Filesize
40KB

Download
memory/4868-135-0x0000000005090000-0x0000000005122000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads