bitrat | 11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

General

Target

fire.exe
Size

3.8MB
MD5

86000b0a976dc4a377b2e5192fe30445
SHA1

ad29b138883d7906f8d6e75f2e5f60e5285d4a56
SHA256

11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e
SHA512

4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19
SSDEEP

98304:nUyJF2oYGCLxnJ7rzdIzYsuvqqW07LslsPTU:nUbn5zSzYhqqW0ns8U

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

74.201.28.92:3569

Attributes

communication_password
148b191cf4e80b549e1b1a4444f2bdf6
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 6 IoCs

Processes:

wbnh.exewbnh.exewbnh.exewbnh.exewbnh.exewbnh.exe

pid process

1004 wbnh.exe
1884 wbnh.exe
672 wbnh.exe
1856 wbnh.exe
1008 wbnh.exe
996 wbnh.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

fire.exewbnh.exewbnh.exewbnh.exe

pid process

904 fire.exe
904 fire.exe
904 fire.exe
904 fire.exe
1856 wbnh.exe
996 wbnh.exe
1884 wbnh.exe

pid	process
1004	wbnh.exe
1884	wbnh.exe
672	wbnh.exe
1856	wbnh.exe
1008	wbnh.exe
996	wbnh.exe

pid	process
904	fire.exe
904	fire.exe
904	fire.exe
904	fire.exe
1856	wbnh.exe
996	wbnh.exe
1884	wbnh.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

fire.exewbnh.exewbnh.exewbnh.exe

description	pid	process	target process
PID 888 set thread context of 904	888	fire.exe	fire.exe
PID 1004 set thread context of 1884	1004	wbnh.exe	wbnh.exe
PID 672 set thread context of 1856	672	wbnh.exe	wbnh.exe
PID 1008 set thread context of 996	1008	wbnh.exe	wbnh.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1796 schtasks.exe
768 schtasks.exe
1772 schtasks.exe
2024 schtasks.exe

pid	process
1796	schtasks.exe
768	schtasks.exe
1772	schtasks.exe
2024	schtasks.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

fire.exewbnh.exewbnh.exewbnh.exe

description	pid	process
Token: SeDebugPrivilege	904	fire.exe
Token: SeShutdownPrivilege	904	fire.exe
Token: SeDebugPrivilege	1856	wbnh.exe
Token: SeShutdownPrivilege	1856	wbnh.exe
Token: SeDebugPrivilege	996	wbnh.exe
Token: SeShutdownPrivilege	996	wbnh.exe
Token: SeDebugPrivilege	1884	wbnh.exe
Token: SeShutdownPrivilege	1884	wbnh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fire.exe

pid process

904 fire.exe
904 fire.exe

pid	process
904	fire.exe
904	fire.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fire.execmd.exetaskeng.exewbnh.execmd.exe

description	pid	process	target process
PID 888 wrote to memory of 904	888	fire.exe	fire.exe
PID 888 wrote to memory of 904	888	fire.exe	fire.exe
PID 888 wrote to memory of 904	888	fire.exe	fire.exe
PID 888 wrote to memory of 904	888	fire.exe	fire.exe
PID 888 wrote to memory of 904	888	fire.exe	fire.exe
PID 888 wrote to memory of 904	888	fire.exe	fire.exe
PID 888 wrote to memory of 904	888	fire.exe	fire.exe
PID 888 wrote to memory of 904	888	fire.exe	fire.exe
PID 888 wrote to memory of 904	888	fire.exe	fire.exe
PID 888 wrote to memory of 904	888	fire.exe	fire.exe
PID 888 wrote to memory of 904	888	fire.exe	fire.exe
PID 888 wrote to memory of 904	888	fire.exe	fire.exe
PID 888 wrote to memory of 564	888	fire.exe	cmd.exe
PID 888 wrote to memory of 564	888	fire.exe	cmd.exe
PID 888 wrote to memory of 564	888	fire.exe	cmd.exe
PID 888 wrote to memory of 564	888	fire.exe	cmd.exe
PID 888 wrote to memory of 472	888	fire.exe	cmd.exe
PID 888 wrote to memory of 472	888	fire.exe	cmd.exe
PID 888 wrote to memory of 472	888	fire.exe	cmd.exe
PID 888 wrote to memory of 472	888	fire.exe	cmd.exe
PID 888 wrote to memory of 1060	888	fire.exe	cmd.exe
PID 888 wrote to memory of 1060	888	fire.exe	cmd.exe
PID 888 wrote to memory of 1060	888	fire.exe	cmd.exe
PID 888 wrote to memory of 1060	888	fire.exe	cmd.exe
PID 472 wrote to memory of 1796	472	cmd.exe	schtasks.exe
PID 472 wrote to memory of 1796	472	cmd.exe	schtasks.exe
PID 472 wrote to memory of 1796	472	cmd.exe	schtasks.exe
PID 472 wrote to memory of 1796	472	cmd.exe	schtasks.exe
PID 964 wrote to memory of 1004	964	taskeng.exe	wbnh.exe
PID 964 wrote to memory of 1004	964	taskeng.exe	wbnh.exe
PID 964 wrote to memory of 1004	964	taskeng.exe	wbnh.exe
PID 964 wrote to memory of 1004	964	taskeng.exe	wbnh.exe
PID 1004 wrote to memory of 1884	1004	wbnh.exe	wbnh.exe
PID 1004 wrote to memory of 1884	1004	wbnh.exe	wbnh.exe
PID 1004 wrote to memory of 1884	1004	wbnh.exe	wbnh.exe
PID 1004 wrote to memory of 1884	1004	wbnh.exe	wbnh.exe
PID 1004 wrote to memory of 1884	1004	wbnh.exe	wbnh.exe
PID 1004 wrote to memory of 1884	1004	wbnh.exe	wbnh.exe
PID 1004 wrote to memory of 1884	1004	wbnh.exe	wbnh.exe
PID 1004 wrote to memory of 1884	1004	wbnh.exe	wbnh.exe
PID 1004 wrote to memory of 1884	1004	wbnh.exe	wbnh.exe
PID 1004 wrote to memory of 1884	1004	wbnh.exe	wbnh.exe
PID 1004 wrote to memory of 1884	1004	wbnh.exe	wbnh.exe
PID 1004 wrote to memory of 1884	1004	wbnh.exe	wbnh.exe
PID 1004 wrote to memory of 1216	1004	wbnh.exe	cmd.exe
PID 1004 wrote to memory of 1216	1004	wbnh.exe	cmd.exe
PID 1004 wrote to memory of 1216	1004	wbnh.exe	cmd.exe
PID 1004 wrote to memory of 1216	1004	wbnh.exe	cmd.exe
PID 1004 wrote to memory of 868	1004	wbnh.exe	cmd.exe
PID 1004 wrote to memory of 868	1004	wbnh.exe	cmd.exe
PID 1004 wrote to memory of 868	1004	wbnh.exe	cmd.exe
PID 1004 wrote to memory of 868	1004	wbnh.exe	cmd.exe
PID 1004 wrote to memory of 1892	1004	wbnh.exe	cmd.exe
PID 1004 wrote to memory of 1892	1004	wbnh.exe	cmd.exe
PID 1004 wrote to memory of 1892	1004	wbnh.exe	cmd.exe
PID 1004 wrote to memory of 1892	1004	wbnh.exe	cmd.exe
PID 868 wrote to memory of 768	868	cmd.exe	schtasks.exe
PID 868 wrote to memory of 768	868	cmd.exe	schtasks.exe
PID 868 wrote to memory of 768	868	cmd.exe	schtasks.exe
PID 868 wrote to memory of 768	868	cmd.exe	schtasks.exe
PID 964 wrote to memory of 672	964	taskeng.exe	wbnh.exe
PID 964 wrote to memory of 672	964	taskeng.exe	wbnh.exe
PID 964 wrote to memory of 672	964	taskeng.exe	wbnh.exe
PID 964 wrote to memory of 672	964	taskeng.exe	wbnh.exe

C:\Users\Admin\AppData\Local\Temp\fire.exe
"C:\Users\Admin\AppData\Local\Temp\fire.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Local\Temp\fire.exe
"C:\Users\Admin\AppData\Local\Temp\fire.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:904

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"
2⤵
PID:564

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1796

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\fire.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"
2⤵
PID:1060

C:\Windows\system32\taskeng.exe
taskeng.exe {96A0FE4B-C7EF-4F64-B5FA-23AF4A9C1D89} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
"C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"
3⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:768

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"
3⤵
PID:1216

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:672

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
"C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"
3⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f
3⤵
PID:896

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1772

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"
3⤵
PID:592

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1008

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
"C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe" "C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe"
3⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f
3⤵
PID:1552

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:2024

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\wbnh"
3⤵
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
Filesize
3.8MB

MD5
86000b0a976dc4a377b2e5192fe30445

SHA1
ad29b138883d7906f8d6e75f2e5f60e5285d4a56

SHA256
11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

SHA512
4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

Download Submit
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
Filesize
3.8MB

MD5
86000b0a976dc4a377b2e5192fe30445

SHA1
ad29b138883d7906f8d6e75f2e5f60e5285d4a56

SHA256
11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

SHA512
4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

Download Submit
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
Filesize
3.8MB

MD5
86000b0a976dc4a377b2e5192fe30445

SHA1
ad29b138883d7906f8d6e75f2e5f60e5285d4a56

SHA256
11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

SHA512
4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

Download Submit
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
Filesize
3.8MB

MD5
86000b0a976dc4a377b2e5192fe30445

SHA1
ad29b138883d7906f8d6e75f2e5f60e5285d4a56

SHA256
11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

SHA512
4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

Download Submit
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
Filesize
3.8MB

MD5
86000b0a976dc4a377b2e5192fe30445

SHA1
ad29b138883d7906f8d6e75f2e5f60e5285d4a56

SHA256
11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

SHA512
4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

Download Submit
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
Filesize
3.8MB

MD5
86000b0a976dc4a377b2e5192fe30445

SHA1
ad29b138883d7906f8d6e75f2e5f60e5285d4a56

SHA256
11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

SHA512
4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

Download Submit
C:\Users\Admin\AppData\Roaming\wbnh\wbnh.exe
Filesize
3.8MB

MD5
86000b0a976dc4a377b2e5192fe30445

SHA1
ad29b138883d7906f8d6e75f2e5f60e5285d4a56

SHA256
11fa27c4961acea6b79c28ccdc896bb94276ba6e3edf2e1d33539952abb1c25e

SHA512
4d0be7661db756cee78c7fbbb91705574b5bb82552230277d59b14a2225f84209597473c165243594ef7d335b3f48475d92b48af21092d04320e91ac452e9c19

Download Submit
memory/672-113-0x0000000004670000-0x00000000046B0000-memory.dmp

Filesize
256KB

Download
memory/672-100-0x0000000000070000-0x0000000000446000-memory.dmp

Filesize
3.8MB

Download
memory/888-54-0x00000000012B0000-0x0000000001686000-memory.dmp

Filesize
3.8MB

Download
memory/888-55-0x0000000001200000-0x0000000001240000-memory.dmp

Filesize
256KB

Download
memory/904-73-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-95-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-71-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-72-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-61-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-74-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-75-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-76-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-77-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-60-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-59-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-62-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-56-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-94-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-58-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-69-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-96-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-97-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-98-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-68-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-64-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-57-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/904-114-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/904-115-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1004-80-0x0000000000070000-0x0000000000446000-memory.dmp

Filesize
3.8MB

Download
memory/1856-118-0x0000000000710000-0x0000000000ADE000-memory.dmp

Filesize
3.8MB

Download
memory/1856-122-0x0000000000710000-0x0000000000ADE000-memory.dmp

Filesize
3.8MB

Download
memory/1856-123-0x0000000000710000-0x0000000000ADE000-memory.dmp

Filesize
3.8MB

Download
memory/1856-124-0x0000000000710000-0x0000000000ADE000-memory.dmp

Filesize
3.8MB

Download
memory/1884-88-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads