bitrat | 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

General

Target

SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe
Size

3.8MB
MD5

d07b7112b39c9eee7eaeba1adb099543
SHA1

1df70cc161540228240e1dde290ac2f5efcfbb0c
SHA256

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA512

9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
SSDEEP

98304:cCtEONaf1kMdpRfZJDRJwdaUNa8gPgEICG6x098gJ2uCB9Ml:RE0UkkHRJuNawLCG6x+8gJFm

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

74.201.28.92:3569

Attributes

communication_password
148b191cf4e80b549e1b1a4444f2bdf6
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

tewu.exetewu.exe

pid process

1992 tewu.exe
632 tewu.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

1704 vbc.exe
1704 vbc.exe
1704 vbc.exe
1704 vbc.exe
2012 vbc.exe
1512 vbc.exe

pid	process
1992	tewu.exe
632	tewu.exe

pid	process
1704	vbc.exe
1704	vbc.exe
1704	vbc.exe
1704	vbc.exe
2012	vbc.exe
1512	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exetewu.exetewu.exe

description	pid	process	target process
PID 1728 set thread context of 1704	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	vbc.exe
PID 1992 set thread context of 2012	1992	tewu.exe	vbc.exe
PID 632 set thread context of 1512	632	tewu.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1044 schtasks.exe
1652 schtasks.exe
684 schtasks.exe

pid	process
1044	schtasks.exe
1652	schtasks.exe
684	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1704	vbc.exe
Token: SeShutdownPrivilege	1704	vbc.exe
Token: SeDebugPrivilege	2012	vbc.exe
Token: SeShutdownPrivilege	2012	vbc.exe
Token: SeDebugPrivilege	1512	vbc.exe
Token: SeShutdownPrivilege	1512	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exe

pid process

1704 vbc.exe
1704 vbc.exe

pid	process
1704	vbc.exe
1704	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.execmd.exetaskeng.exetewu.execmd.exe

description	pid	process	target process
PID 1728 wrote to memory of 1704	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	vbc.exe
PID 1728 wrote to memory of 1704	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	vbc.exe
PID 1728 wrote to memory of 1704	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	vbc.exe
PID 1728 wrote to memory of 1704	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	vbc.exe
PID 1728 wrote to memory of 1704	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	vbc.exe
PID 1728 wrote to memory of 1704	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	vbc.exe
PID 1728 wrote to memory of 1704	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	vbc.exe
PID 1728 wrote to memory of 1704	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	vbc.exe
PID 1728 wrote to memory of 1704	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	vbc.exe
PID 1728 wrote to memory of 1704	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	vbc.exe
PID 1728 wrote to memory of 1704	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	vbc.exe
PID 1728 wrote to memory of 1704	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	vbc.exe
PID 1728 wrote to memory of 1440	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	cmd.exe
PID 1728 wrote to memory of 1440	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	cmd.exe
PID 1728 wrote to memory of 1440	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	cmd.exe
PID 1728 wrote to memory of 1440	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	cmd.exe
PID 1728 wrote to memory of 1716	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	cmd.exe
PID 1728 wrote to memory of 1716	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	cmd.exe
PID 1728 wrote to memory of 1716	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	cmd.exe
PID 1728 wrote to memory of 1716	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	cmd.exe
PID 1728 wrote to memory of 520	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	cmd.exe
PID 1728 wrote to memory of 520	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	cmd.exe
PID 1728 wrote to memory of 520	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	cmd.exe
PID 1728 wrote to memory of 520	1728	SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe	cmd.exe
PID 1716 wrote to memory of 684	1716	cmd.exe	schtasks.exe
PID 1716 wrote to memory of 684	1716	cmd.exe	schtasks.exe
PID 1716 wrote to memory of 684	1716	cmd.exe	schtasks.exe
PID 1716 wrote to memory of 684	1716	cmd.exe	schtasks.exe
PID 568 wrote to memory of 1992	568	taskeng.exe	tewu.exe
PID 568 wrote to memory of 1992	568	taskeng.exe	tewu.exe
PID 568 wrote to memory of 1992	568	taskeng.exe	tewu.exe
PID 568 wrote to memory of 1992	568	taskeng.exe	tewu.exe
PID 1992 wrote to memory of 2012	1992	tewu.exe	vbc.exe
PID 1992 wrote to memory of 2012	1992	tewu.exe	vbc.exe
PID 1992 wrote to memory of 2012	1992	tewu.exe	vbc.exe
PID 1992 wrote to memory of 2012	1992	tewu.exe	vbc.exe
PID 1992 wrote to memory of 2012	1992	tewu.exe	vbc.exe
PID 1992 wrote to memory of 2012	1992	tewu.exe	vbc.exe
PID 1992 wrote to memory of 2012	1992	tewu.exe	vbc.exe
PID 1992 wrote to memory of 2012	1992	tewu.exe	vbc.exe
PID 1992 wrote to memory of 2012	1992	tewu.exe	vbc.exe
PID 1992 wrote to memory of 2012	1992	tewu.exe	vbc.exe
PID 1992 wrote to memory of 2012	1992	tewu.exe	vbc.exe
PID 1992 wrote to memory of 2012	1992	tewu.exe	vbc.exe
PID 1992 wrote to memory of 1980	1992	tewu.exe	cmd.exe
PID 1992 wrote to memory of 1980	1992	tewu.exe	cmd.exe
PID 1992 wrote to memory of 1980	1992	tewu.exe	cmd.exe
PID 1992 wrote to memory of 1980	1992	tewu.exe	cmd.exe
PID 1992 wrote to memory of 2032	1992	tewu.exe	cmd.exe
PID 1992 wrote to memory of 2032	1992	tewu.exe	cmd.exe
PID 1992 wrote to memory of 2032	1992	tewu.exe	cmd.exe
PID 1992 wrote to memory of 2032	1992	tewu.exe	cmd.exe
PID 1992 wrote to memory of 1960	1992	tewu.exe	cmd.exe
PID 1992 wrote to memory of 1960	1992	tewu.exe	cmd.exe
PID 1992 wrote to memory of 1960	1992	tewu.exe	cmd.exe
PID 1992 wrote to memory of 1960	1992	tewu.exe	cmd.exe
PID 2032 wrote to memory of 1044	2032	cmd.exe	schtasks.exe
PID 2032 wrote to memory of 1044	2032	cmd.exe	schtasks.exe
PID 2032 wrote to memory of 1044	2032	cmd.exe	schtasks.exe
PID 2032 wrote to memory of 1044	2032	cmd.exe	schtasks.exe
PID 568 wrote to memory of 632	568	taskeng.exe	tewu.exe
PID 568 wrote to memory of 632	568	taskeng.exe	tewu.exe
PID 568 wrote to memory of 632	568	taskeng.exe	tewu.exe
PID 568 wrote to memory of 632	568	taskeng.exe	tewu.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen20.5502.44.30386.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
2⤵
PID:520

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
2⤵
PID:1440

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
1⤵
- Creates scheduled task(s)
PID:684

C:\Windows\system32\taskeng.exe
taskeng.exe {6B38D744-6EC6-4839-8DE2-67562FD061FD} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
3⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1044

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
3⤵
PID:1960

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
3⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
PID:932

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1652

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
3⤵
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
memory/632-127-0x00000000006C0000-0x0000000000700000-memory.dmp

Filesize
256KB

Download
memory/632-110-0x00000000008B0000-0x0000000000C84000-memory.dmp

Filesize
3.8MB

Download
memory/1512-131-0x0000000000460000-0x000000000082E000-memory.dmp

Filesize
3.8MB

Download
memory/1512-130-0x0000000000460000-0x000000000082E000-memory.dmp

Filesize
3.8MB

Download
memory/1512-129-0x0000000000460000-0x000000000082E000-memory.dmp

Filesize
3.8MB

Download
memory/1512-124-0x0000000000460000-0x000000000082E000-memory.dmp

Filesize
3.8MB

Download
memory/1704-80-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-62-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-66-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-69-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-72-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-71-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-73-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-74-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-76-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-75-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-77-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-79-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-78-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-55-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-81-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-82-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-83-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-84-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-63-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1704-64-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-56-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-57-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-59-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-60-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-104-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-103-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-105-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-106-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-107-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-108-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1704-61-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1728-58-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1728-54-0x0000000000230000-0x0000000000604000-memory.dmp

Filesize
3.8MB

Download
memory/1992-92-0x00000000022B0000-0x00000000022F0000-memory.dmp

Filesize
256KB

Download
memory/1992-87-0x0000000000270000-0x0000000000644000-memory.dmp

Filesize
3.8MB

Download
memory/2012-102-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2012-100-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads