bitrat | 954226b2a3caf5b0a7924bdfdcd4f6a551d04f9ed25924c4081c3f749a1ce020

General

Target

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe
Size

3.8MB
MD5

d07b7112b39c9eee7eaeba1adb099543
SHA1

1df70cc161540228240e1dde290ac2f5efcfbb0c
SHA256

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA512

9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
SSDEEP

98304:cCtEONaf1kMdpRfZJDRJwdaUNa8gPgEICG6x098gJ2uCB9Ml:RE0UkkHRJuNawLCG6x+8gJFm

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

74.201.28.92:3569

Attributes

communication_password
148b191cf4e80b549e1b1a4444f2bdf6
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

tewu.exetewu.exe

pid process

1668 tewu.exe
1724 tewu.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

848 vbc.exe
848 vbc.exe
848 vbc.exe
848 vbc.exe
848 vbc.exe
1660 vbc.exe
580 vbc.exe

pid	process
1668	tewu.exe
1724	tewu.exe

pid	process
848	vbc.exe
848	vbc.exe
848	vbc.exe
848	vbc.exe
848	vbc.exe
1660	vbc.exe
580	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exetewu.exetewu.exe

description	pid	process	target process
PID 1320 set thread context of 848	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1668 set thread context of 1660	1668	tewu.exe	vbc.exe
PID 1724 set thread context of 580	1724	tewu.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2004 schtasks.exe
584 schtasks.exe
1584 schtasks.exe

pid	process
2004	schtasks.exe
584	schtasks.exe
1584	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	848	vbc.exe
Token: SeShutdownPrivilege	848	vbc.exe
Token: SeDebugPrivilege	1660	vbc.exe
Token: SeShutdownPrivilege	1660	vbc.exe
Token: SeDebugPrivilege	580	vbc.exe
Token: SeShutdownPrivilege	580	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exe

pid process

848 vbc.exe
848 vbc.exe

pid	process
848	vbc.exe
848	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.execmd.exetaskeng.exetewu.execmd.exe

description	pid	process	target process
PID 1320 wrote to memory of 848	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1320 wrote to memory of 848	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1320 wrote to memory of 848	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1320 wrote to memory of 848	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1320 wrote to memory of 848	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1320 wrote to memory of 848	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1320 wrote to memory of 848	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1320 wrote to memory of 848	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1320 wrote to memory of 848	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1320 wrote to memory of 848	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1320 wrote to memory of 848	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1320 wrote to memory of 848	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1320 wrote to memory of 1948	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1320 wrote to memory of 1948	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1320 wrote to memory of 1948	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1320 wrote to memory of 1948	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1320 wrote to memory of 1040	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1320 wrote to memory of 1040	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1320 wrote to memory of 1040	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1320 wrote to memory of 1040	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1320 wrote to memory of 996	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1320 wrote to memory of 996	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1320 wrote to memory of 996	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1320 wrote to memory of 996	1320	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1040 wrote to memory of 584	1040	cmd.exe	schtasks.exe
PID 1040 wrote to memory of 584	1040	cmd.exe	schtasks.exe
PID 1040 wrote to memory of 584	1040	cmd.exe	schtasks.exe
PID 1040 wrote to memory of 584	1040	cmd.exe	schtasks.exe
PID 2036 wrote to memory of 1668	2036	taskeng.exe	tewu.exe
PID 2036 wrote to memory of 1668	2036	taskeng.exe	tewu.exe
PID 2036 wrote to memory of 1668	2036	taskeng.exe	tewu.exe
PID 2036 wrote to memory of 1668	2036	taskeng.exe	tewu.exe
PID 1668 wrote to memory of 1660	1668	tewu.exe	vbc.exe
PID 1668 wrote to memory of 1660	1668	tewu.exe	vbc.exe
PID 1668 wrote to memory of 1660	1668	tewu.exe	vbc.exe
PID 1668 wrote to memory of 1660	1668	tewu.exe	vbc.exe
PID 1668 wrote to memory of 1660	1668	tewu.exe	vbc.exe
PID 1668 wrote to memory of 1660	1668	tewu.exe	vbc.exe
PID 1668 wrote to memory of 1660	1668	tewu.exe	vbc.exe
PID 1668 wrote to memory of 1660	1668	tewu.exe	vbc.exe
PID 1668 wrote to memory of 1660	1668	tewu.exe	vbc.exe
PID 1668 wrote to memory of 1660	1668	tewu.exe	vbc.exe
PID 1668 wrote to memory of 1660	1668	tewu.exe	vbc.exe
PID 1668 wrote to memory of 1660	1668	tewu.exe	vbc.exe
PID 1668 wrote to memory of 1312	1668	tewu.exe	cmd.exe
PID 1668 wrote to memory of 1312	1668	tewu.exe	cmd.exe
PID 1668 wrote to memory of 1312	1668	tewu.exe	cmd.exe
PID 1668 wrote to memory of 1312	1668	tewu.exe	cmd.exe
PID 1668 wrote to memory of 940	1668	tewu.exe	cmd.exe
PID 1668 wrote to memory of 940	1668	tewu.exe	cmd.exe
PID 1668 wrote to memory of 940	1668	tewu.exe	cmd.exe
PID 1668 wrote to memory of 940	1668	tewu.exe	cmd.exe
PID 1668 wrote to memory of 1816	1668	tewu.exe	cmd.exe
PID 1668 wrote to memory of 1816	1668	tewu.exe	cmd.exe
PID 1668 wrote to memory of 1816	1668	tewu.exe	cmd.exe
PID 1668 wrote to memory of 1816	1668	tewu.exe	cmd.exe
PID 940 wrote to memory of 1584	940	cmd.exe	schtasks.exe
PID 940 wrote to memory of 1584	940	cmd.exe	schtasks.exe
PID 940 wrote to memory of 1584	940	cmd.exe	schtasks.exe
PID 940 wrote to memory of 1584	940	cmd.exe	schtasks.exe
PID 2036 wrote to memory of 1724	2036	taskeng.exe	tewu.exe
PID 2036 wrote to memory of 1724	2036	taskeng.exe	tewu.exe
PID 2036 wrote to memory of 1724	2036	taskeng.exe	tewu.exe
PID 2036 wrote to memory of 1724	2036	taskeng.exe	tewu.exe

C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe
"C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:848

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
2⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
2⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:584

C:\Windows\system32\taskeng.exe
taskeng.exe {E7486573-CB93-4D1D-BED5-B162C628DE79} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
3⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1584

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
3⤵
PID:1816

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
3⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
PID:112

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:2004

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
3⤵
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
memory/580-155-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/580-146-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-86-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-127-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-61-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-62-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/848-63-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-67-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-68-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-70-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-71-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-73-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-74-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-75-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-76-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-77-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-78-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-79-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-80-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/848-81-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/848-82-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-84-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-85-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-55-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-56-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-60-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-94-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/848-92-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-93-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-90-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-95-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-59-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-58-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-88-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-57-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-129-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-113-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-87-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-117-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-119-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-121-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-123-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/848-125-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1320-54-0x0000000000DA0000-0x0000000001174000-memory.dmp

Filesize
3.8MB

Download
memory/1660-116-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1660-112-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1668-102-0x0000000000CC0000-0x0000000000D00000-memory.dmp

Filesize
256KB

Download
memory/1668-99-0x0000000001080000-0x0000000001454000-memory.dmp

Filesize
3.8MB

Download
memory/1724-134-0x0000000001080000-0x0000000001454000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads