bitrat | 988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f

General

Target

988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe
Size

1.6MB
MD5

75399461e8ec68c73629aad69c298d2a
SHA1

047aa561be44bbdac119ef4bf4c947556a40e79d
SHA256

988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f
SHA512

75ae6562bc0598fe5d450e8c0d043cbc2fbf82358906788d8150ddc172257446cf747875cd68d0f36fdf5bd864752e44933a7a67d853762f0a017b72bc298a14
SSDEEP

49152:CRiWFHcEWQEG36GuyiA96mE/d1IWYDcj9a/HQLr7ch+:tWmKEsbw17Y6mHJh

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.34

C2

185.58.92.227:5354

Attributes

communication_password
cbac3bfef1a0cdb02fa8e2b300c7da3f
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

svchost.exe

pid process

1396 svchost.exe
1396 svchost.exe
1396 svchost.exe
1396 svchost.exe

pid	process
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe
1396	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe

description	pid	process	target process
PID 1224 set thread context of 1396	1224	988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 1396 svchost.exe
Token: SeShutdownPrivilege 1396 svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exe

pid process

1396 svchost.exe
1396 svchost.exe

description	pid	process
Token: SeDebugPrivilege	1396	svchost.exe
Token: SeShutdownPrivilege	1396	svchost.exe

pid	process
1396	svchost.exe
1396	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe

description	pid	process	target process
PID 1224 wrote to memory of 1396	1224	988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe	svchost.exe
PID 1224 wrote to memory of 1396	1224	988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe	svchost.exe
PID 1224 wrote to memory of 1396	1224	988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe	svchost.exe
PID 1224 wrote to memory of 1396	1224	988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe	svchost.exe
PID 1224 wrote to memory of 1396	1224	988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe	svchost.exe
PID 1224 wrote to memory of 1396	1224	988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe	svchost.exe
PID 1224 wrote to memory of 1396	1224	988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe	svchost.exe
PID 1224 wrote to memory of 1396	1224	988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe	svchost.exe
PID 1224 wrote to memory of 1396	1224	988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe	svchost.exe
PID 1224 wrote to memory of 1396	1224	988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe	svchost.exe
PID 1224 wrote to memory of 1396	1224	988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe	svchost.exe
PID 1224 wrote to memory of 1396	1224	988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe
"C:\Users\Admin\AppData\Local\Temp\988287abfc76c6595d2b4979761a7e07af6505358e27716b7b8407bac66e138f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWow64\svchost.exe
"C:\\Windows\\SysWow64\\svchost.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1224-54-0x000000013FB10000-0x000000013FCA4000-memory.dmp

Filesize
1.6MB

Download
memory/1224-55-0x000000001BF00000-0x000000001C2D6000-memory.dmp

Filesize
3.8MB

Download
memory/1224-56-0x000000001CC10000-0x000000001CFDD000-memory.dmp

Filesize
3.8MB

Download
memory/1224-57-0x0000000000740000-0x0000000000756000-memory.dmp

Filesize
88KB

Download
memory/1224-58-0x0000000000960000-0x0000000000964000-memory.dmp

Filesize
16KB

Download
memory/1396-59-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1396-60-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1396-62-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1396-64-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1396-66-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1396-68-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1396-69-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1396-71-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1396-72-0x0000000000689A84-mapping.dmp

Download
memory/1396-74-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1396-75-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1396-76-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download
memory/1396-77-0x0000000000400000-0x00000000007CD000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing