bitrat | f3fa585e7418f8b33bb279c72461d1822d0da9c0da673d158acfeecfd0ca6017

General

Target

WinLocker Builder (test version).exe
Size

5.1MB
MD5

fb344b1c20c3d4b66efe7194fdc7299c
SHA1

c36ff3e29f450a7ffc58979cd51360d6db04e854
SHA256

f3fa585e7418f8b33bb279c72461d1822d0da9c0da673d158acfeecfd0ca6017
SHA512

44aad18a62c554cfa9a21dc4fe58db4f09d68d70252c59385fe54fe007e4e79172110719547e2cfd784ee98f8604561e185a0c3c05dd2443cf5cd76e92725bdb
SSDEEP

98304:Ex3MI+PNSOdHfY5JX+2pgGXRNe14VMAjizLIi2tEXuDS2MTozg:EE5Ri5pgGXyp0SIi2tEXu+Px

Score

10^/10

bitrat bootkit evasion persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

current-necessity.at.ply.gg:49446

Attributes

communication_password
c5e4e64cc9384fda09aa232c1811af0e
install_dir
MsSystemDriver
install_file
MsMpEng.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

WinLocker Builder (test version).exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WinLocker Builder (test version).exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WinLocker Builder (test version).exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinLocker Builder (test version).exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinLocker Builder (test version).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WinLocker Builder (test version).exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WinLocker Builder (test version).exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsMpEng = "C:\\Users\\Admin\\AppData\\Local\\MsSystemDriver\\MsMpEng.exe耀"	WinLocker Builder (test version).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsMpEng = "C:\\Users\\Admin\\AppData\\Local\\MsSystemDriver\\MsMpEng.exe"	WinLocker Builder (test version).exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WinLocker Builder (test version).exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WinLocker Builder (test version).exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

WinLocker Builder (test version).exe

description ioc process

File opened for modification \??\PhysicalDrive0 WinLocker Builder (test version).exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	WinLocker Builder (test version).exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

WinLocker Builder (test version).exe

pid	process
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WinLocker Builder (test version).exe

pid process

3464 WinLocker Builder (test version).exe
3464 WinLocker Builder (test version).exe

Suspicious behavior: RenamesItself 29 IoCs

Processes:

WinLocker Builder (test version).exe

pid	process
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe
3464	WinLocker Builder (test version).exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WinLocker Builder (test version).exe

description pid process

Token: SeShutdownPrivilege 3464 WinLocker Builder (test version).exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WinLocker Builder (test version).exe

pid process

3464 WinLocker Builder (test version).exe
3464 WinLocker Builder (test version).exe

description	pid	process
Token: SeShutdownPrivilege	3464	WinLocker Builder (test version).exe

C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe
"C:\Users\Admin\AppData\Local\Temp\WinLocker Builder (test version).exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3464-133-0x0000000000750000-0x00000000013FB000-memory.dmp

Filesize
12.7MB

Download
memory/3464-135-0x0000000000750000-0x00000000013FB000-memory.dmp

Filesize
12.7MB

Download
memory/3464-136-0x0000000000750000-0x00000000013FB000-memory.dmp

Filesize
12.7MB

Download
memory/3464-137-0x0000000000750000-0x00000000013FB000-memory.dmp

Filesize
12.7MB

Download
memory/3464-138-0x0000000000750000-0x00000000013FB000-memory.dmp

Filesize
12.7MB

Download
memory/3464-139-0x0000000000750000-0x00000000013FB000-memory.dmp

Filesize
12.7MB

Download
memory/3464-140-0x0000000000750000-0x00000000013FB000-memory.dmp

Filesize
12.7MB

Download
memory/3464-141-0x0000000000750000-0x00000000013FB000-memory.dmp

Filesize
12.7MB

Download
memory/3464-143-0x0000000074A60000-0x0000000074A99000-memory.dmp

Filesize
228KB

Download
memory/3464-142-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/3464-144-0x0000000000750000-0x00000000013FB000-memory.dmp

Filesize
12.7MB

Download
memory/3464-145-0x0000000074AF0000-0x0000000074B29000-memory.dmp

Filesize
228KB

Download
memory/3464-146-0x0000000074A60000-0x0000000074A99000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads