bitrat | 66fdb47c24f569d7fae5707024809698812a40458216414827d3ea57cfb19dbb

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
12-02-2023 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
Size

16.5MB
MD5

b9874cdde692f485a1c609aeafd075c3
SHA1

8806ac9b20eaa78f89b5dfd1b78a3c7fb5cbffce
SHA256

66fdb47c24f569d7fae5707024809698812a40458216414827d3ea57cfb19dbb
SHA512

955e5e731e2d3fe9299fb90995fba95409d5b6086306960defbdc17f855175c63ccdb713f16b3e6ac3ee007f2317461d2e8693afefc56e7de494d879a3fd0aee
SSDEEP

98304:AQC5lSLCSHP8Z2HOR0mW1LCjqOMKmxE6G:LC5R0mh

Score

10^/10

bitrat hiverat quasar et rat spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

orcus.dyndns.org:1605

lsdw.dyndns.org:1606

labeokunta.dynnds.org:1606

xpert.dyndns.biz:1605

qz.dyndns.org:1605

imageline.dyndns.org:1606

kontakt-update.selfip.net:1606

Mutex

QSR_MUTEX_X8N0tEAk1p1Gbe9ioj

Attributes

encryption_key
jVpAHlJqCIQYSDZsOYMx
install_name
Client.exe
log_directory
db.xlm
reconnect_delay
30000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

bitrat

Version

1.38

hiv.dyndns.org:2222

Attributes

communication_password
194dd40edef1873b88c241057bb55f1b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/784-59-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/784-60-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/784-61-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/784-62-0x000000000045831E-mapping.dmp	family_quasar
behavioral1/memory/784-64-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/784-66-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

HiveRAT payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1592-70-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-71-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-72-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-73-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-75-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-77-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-79-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-82-0x000000000044C8BE-mapping.dmp	family_hiverat
behavioral1/memory/1592-81-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-87-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-91-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-98-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-100-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-103-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-105-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-112-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-117-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-116-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat
behavioral1/memory/1592-115-0x0000000000400000-0x000000000048E000-memory.dmp	family_hiverat

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com

flow	ioc
6	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

pid	process
964	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
964	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
964	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
964	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
964	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

description	pid	process	target process
PID 2016 set thread context of 784	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 set thread context of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 set thread context of 964	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

pid process

1592 HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

pid	process
1592	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exeHEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exeHEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

description	pid	process
Token: SeDebugPrivilege	1592	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
Token: SeDebugPrivilege	964	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
Token: SeShutdownPrivilege	964	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
Token: SeDebugPrivilege	784	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exeHEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

pid	process
964	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
964	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
784	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
  "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:784
- C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
  "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
  "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-64-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/784-66-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/784-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/784-57-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/784-59-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/784-60-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/784-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/784-62-0x000000000045831E-mapping.dmp

Download
memory/964-131-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download
memory/964-108-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/964-133-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download
memory/964-132-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download
memory/964-89-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/964-130-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/964-111-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/964-134-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download
memory/964-104-0x000000000068A488-mapping.dmp

Download
memory/964-102-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/964-99-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/964-97-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/964-83-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/964-94-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/964-92-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/964-85-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1592-68-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-75-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-91-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-81-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-82-0x000000000044C8BE-mapping.dmp

Download
memory/1592-98-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-79-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-100-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-103-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-77-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-105-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-87-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-73-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-112-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-72-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-117-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-116-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-115-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-71-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-70-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1592-67-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2016-54-0x0000000000F60000-0x0000000001FEC000-memory.dmp

Filesize
16.5MB

Download
memory/2016-55-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download

description	pid	process	target process
PID 2016 wrote to memory of 784	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 784	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 784	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 784	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 784	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 784	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 784	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 784	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 784	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 1592	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 964	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 964	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 964	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 964	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 964	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 964	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 964	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 964	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 964	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 964	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 964	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe
PID 2016 wrote to memory of 964	2016	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe	HEUR-Trojan.Win32.Generic-66fdb47c24f569d7fae.exe