bitrat | 10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8

General

Target

10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe
Size

10.0MB
MD5

e872b597a98c83ad62c74877a03f35f8
SHA1

1761f0e80f0040a479551fc89885b43c2ded2131
SHA256

10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8
SHA512

2a6ea5dfc324d2e370e1b0baf13e99ccf48c35770549670a03a6a68d9964db4302304f686b6186832176982331c01679cf66155d9b3205cdd2bcd2303d6ad666
SSDEEP

98304:fRIevuEMjmkDQP2qxKahmUBFpHZDTk2e2RT16/UvYYn:fDuJjmkDQP20KamUVZHky2IY

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bit747.duckdns.org:1010

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1020 svchost.exe
856 svchost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

RegAsm.exe

pid process

3644 RegAsm.exe
3644 RegAsm.exe
3644 RegAsm.exe
3644 RegAsm.exe

pid	process
1020	svchost.exe
856	svchost.exe

pid	process
3644	RegAsm.exe
3644	RegAsm.exe
3644	RegAsm.exe
3644	RegAsm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1536 set thread context of 2524	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	RegAsm.exe
PID 1020 set thread context of 3572	1020	svchost.exe	RegAsm.exe
PID 856 set thread context of 3644	856	svchost.exe	RegAsm.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4016 2524 WerFault.exe RegAsm.exe
1884 3572 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

224 schtasks.exe
3892 schtasks.exe
564 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeShutdownPrivilege 3644 RegAsm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

3644 RegAsm.exe
3644 RegAsm.exe

pid	pid_target	process	target process
4016	2524	WerFault.exe	RegAsm.exe
1884	3572	WerFault.exe	RegAsm.exe

pid	process
224	schtasks.exe
3892	schtasks.exe
564	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	3644	RegAsm.exe

pid	process
3644	RegAsm.exe
3644	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.execmd.exesvchost.execmd.exesvchost.exe

description	pid	process	target process
PID 1536 wrote to memory of 2524	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	RegAsm.exe
PID 1536 wrote to memory of 2524	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	RegAsm.exe
PID 1536 wrote to memory of 2524	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	RegAsm.exe
PID 1536 wrote to memory of 2524	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	RegAsm.exe
PID 1536 wrote to memory of 2524	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	RegAsm.exe
PID 1536 wrote to memory of 2524	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	RegAsm.exe
PID 1536 wrote to memory of 2524	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	RegAsm.exe
PID 1536 wrote to memory of 2524	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	RegAsm.exe
PID 1536 wrote to memory of 2524	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	RegAsm.exe
PID 1536 wrote to memory of 2524	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	RegAsm.exe
PID 1536 wrote to memory of 2524	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	RegAsm.exe
PID 1536 wrote to memory of 4424	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	cmd.exe
PID 1536 wrote to memory of 4424	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	cmd.exe
PID 1536 wrote to memory of 4424	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	cmd.exe
PID 1536 wrote to memory of 3472	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	cmd.exe
PID 1536 wrote to memory of 3472	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	cmd.exe
PID 1536 wrote to memory of 3472	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	cmd.exe
PID 1536 wrote to memory of 5000	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	cmd.exe
PID 1536 wrote to memory of 5000	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	cmd.exe
PID 1536 wrote to memory of 5000	1536	10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe	cmd.exe
PID 3472 wrote to memory of 224	3472	cmd.exe	schtasks.exe
PID 3472 wrote to memory of 224	3472	cmd.exe	schtasks.exe
PID 3472 wrote to memory of 224	3472	cmd.exe	schtasks.exe
PID 1020 wrote to memory of 3572	1020	svchost.exe	RegAsm.exe
PID 1020 wrote to memory of 3572	1020	svchost.exe	RegAsm.exe
PID 1020 wrote to memory of 3572	1020	svchost.exe	RegAsm.exe
PID 1020 wrote to memory of 3572	1020	svchost.exe	RegAsm.exe
PID 1020 wrote to memory of 3572	1020	svchost.exe	RegAsm.exe
PID 1020 wrote to memory of 3572	1020	svchost.exe	RegAsm.exe
PID 1020 wrote to memory of 3572	1020	svchost.exe	RegAsm.exe
PID 1020 wrote to memory of 3572	1020	svchost.exe	RegAsm.exe
PID 1020 wrote to memory of 3572	1020	svchost.exe	RegAsm.exe
PID 1020 wrote to memory of 3572	1020	svchost.exe	RegAsm.exe
PID 1020 wrote to memory of 3572	1020	svchost.exe	RegAsm.exe
PID 1020 wrote to memory of 632	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 632	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 632	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 3856	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 3856	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 3856	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 384	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 384	1020	svchost.exe	cmd.exe
PID 1020 wrote to memory of 384	1020	svchost.exe	cmd.exe
PID 3856 wrote to memory of 3892	3856	cmd.exe	schtasks.exe
PID 3856 wrote to memory of 3892	3856	cmd.exe	schtasks.exe
PID 3856 wrote to memory of 3892	3856	cmd.exe	schtasks.exe
PID 856 wrote to memory of 3644	856	svchost.exe	RegAsm.exe
PID 856 wrote to memory of 3644	856	svchost.exe	RegAsm.exe
PID 856 wrote to memory of 3644	856	svchost.exe	RegAsm.exe
PID 856 wrote to memory of 3644	856	svchost.exe	RegAsm.exe
PID 856 wrote to memory of 3644	856	svchost.exe	RegAsm.exe
PID 856 wrote to memory of 3644	856	svchost.exe	RegAsm.exe
PID 856 wrote to memory of 3644	856	svchost.exe	RegAsm.exe
PID 856 wrote to memory of 3644	856	svchost.exe	RegAsm.exe
PID 856 wrote to memory of 3644	856	svchost.exe	RegAsm.exe
PID 856 wrote to memory of 3644	856	svchost.exe	RegAsm.exe
PID 856 wrote to memory of 3644	856	svchost.exe	RegAsm.exe
PID 856 wrote to memory of 4944	856	svchost.exe	cmd.exe
PID 856 wrote to memory of 4944	856	svchost.exe	cmd.exe
PID 856 wrote to memory of 4944	856	svchost.exe	cmd.exe
PID 856 wrote to memory of 3076	856	svchost.exe	cmd.exe
PID 856 wrote to memory of 3076	856	svchost.exe	cmd.exe
PID 856 wrote to memory of 3076	856	svchost.exe	cmd.exe
PID 856 wrote to memory of 4964	856	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe
"C:\Users\Admin\AppData\Local\Temp\10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 540
3⤵
- Program crash
PID:4016

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2524 -ip 2524
1⤵
PID:4464

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 540
3⤵
- Program crash
PID:1884

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3892

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3572 -ip 3572
1⤵
PID:4364

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3644

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
PID:3076

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:564

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
Filesize
897B

MD5
e28e8282e840be54c57551ade8ab5d8b

SHA1
8967f20d50682007d53c4b1895daffc42adb4f11

SHA256
ca8d865b7a87fd4fb4cc0a4ddb44b05f3512f37082ce90b59d09ec2a6b5636bb

SHA512
80b14973789013dad22e3ac4c2cfa450f16eb2530f39bf082b37a728d9c874f5e9f5e323997f35eaafb6c71f4153222d53f06a845354550be543b1aa7b4f732b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
10.0MB

MD5
e872b597a98c83ad62c74877a03f35f8

SHA1
1761f0e80f0040a479551fc89885b43c2ded2131

SHA256
10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8

SHA512
2a6ea5dfc324d2e370e1b0baf13e99ccf48c35770549670a03a6a68d9964db4302304f686b6186832176982331c01679cf66155d9b3205cdd2bcd2303d6ad666

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
10.0MB

MD5
e872b597a98c83ad62c74877a03f35f8

SHA1
1761f0e80f0040a479551fc89885b43c2ded2131

SHA256
10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8

SHA512
2a6ea5dfc324d2e370e1b0baf13e99ccf48c35770549670a03a6a68d9964db4302304f686b6186832176982331c01679cf66155d9b3205cdd2bcd2303d6ad666

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
10.0MB

MD5
e872b597a98c83ad62c74877a03f35f8

SHA1
1761f0e80f0040a479551fc89885b43c2ded2131

SHA256
10d3822ac14a988d3fb6b5106e82b4727aa714eaa054fa4d54b0fbf96d6953e8

SHA512
2a6ea5dfc324d2e370e1b0baf13e99ccf48c35770549670a03a6a68d9964db4302304f686b6186832176982331c01679cf66155d9b3205cdd2bcd2303d6ad666

Download Submit
memory/1536-134-0x0000000005B70000-0x0000000006114000-memory.dmp

Filesize
5.6MB

Download
memory/1536-135-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/1536-136-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/1536-137-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/1536-133-0x0000000000740000-0x0000000000B34000-memory.dmp

Filesize
4.0MB

Download
memory/2524-148-0x0000000000A00000-0x0000000000DCE000-memory.dmp

Filesize
3.8MB

Download
memory/2524-151-0x0000000000A00000-0x0000000000DCE000-memory.dmp

Filesize
3.8MB

Download
memory/2524-144-0x0000000000A00000-0x0000000000DCE000-memory.dmp

Filesize
3.8MB

Download
memory/2524-139-0x0000000000A00000-0x0000000000DCE000-memory.dmp

Filesize
3.8MB

Download
memory/3572-159-0x0000000000770000-0x0000000000B3E000-memory.dmp

Filesize
3.8MB

Download
memory/3572-163-0x0000000000770000-0x0000000000B3E000-memory.dmp

Filesize
3.8MB

Download
memory/3572-164-0x0000000000770000-0x0000000000B3E000-memory.dmp

Filesize
3.8MB

Download
memory/3644-175-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3644-182-0x0000000074860000-0x0000000074899000-memory.dmp

Filesize
228KB

Download
memory/3644-172-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3644-174-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3644-169-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3644-178-0x00000000744E0000-0x0000000074519000-memory.dmp

Filesize
228KB

Download
memory/3644-181-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3644-170-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3644-183-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3644-184-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3644-185-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3644-186-0x0000000074860000-0x0000000074899000-memory.dmp

Filesize
228KB

Download
memory/3644-187-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3644-188-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads