bitrat | 954226b2a3caf5b0a7924bdfdcd4f6a551d04f9ed25924c4081c3f749a1ce020

Analysis

max time kernel
107s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe
Size

3.8MB
MD5

d07b7112b39c9eee7eaeba1adb099543
SHA1

1df70cc161540228240e1dde290ac2f5efcfbb0c
SHA256

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA512

9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
SSDEEP

98304:cCtEONaf1kMdpRfZJDRJwdaUNa8gPgEICG6x098gJ2uCB9Ml:RE0UkkHRJuNawLCG6x+8gJFm

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

74.201.28.92:3569

Attributes

communication_password
148b191cf4e80b549e1b1a4444f2bdf6
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Executes dropped EXE 2 IoCs

pid	Process
2728	tewu.exe
2620	tewu.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5024 set thread context of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	85
PID 2728 set thread context of 552	2728	tewu.exe	106
PID 2620 set thread context of 1688	2620	tewu.exe	121

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1972	3124	WerFault.exe	85
2628	552	WerFault.exe	106
3608	1688	WerFault.exe	121

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4600	schtasks.exe
4928	schtasks.exe
4920	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	85
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	85
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	85
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	85
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	85
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	85
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	85
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	85
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	85
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	85
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	85
PID 5024 wrote to memory of 752	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	86
PID 5024 wrote to memory of 752	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	86
PID 5024 wrote to memory of 752	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	86
PID 5024 wrote to memory of 3876	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	91
PID 5024 wrote to memory of 3876	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	91
PID 5024 wrote to memory of 3876	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	91
PID 5024 wrote to memory of 4092	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	89
PID 5024 wrote to memory of 4092	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	89
PID 5024 wrote to memory of 4092	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	89
PID 3876 wrote to memory of 4600	3876	cmd.exe	94
PID 3876 wrote to memory of 4600	3876	cmd.exe	94
PID 3876 wrote to memory of 4600	3876	cmd.exe	94
PID 2728 wrote to memory of 552	2728	tewu.exe	106
PID 2728 wrote to memory of 552	2728	tewu.exe	106
PID 2728 wrote to memory of 552	2728	tewu.exe	106
PID 2728 wrote to memory of 552	2728	tewu.exe	106
PID 2728 wrote to memory of 552	2728	tewu.exe	106
PID 2728 wrote to memory of 552	2728	tewu.exe	106
PID 2728 wrote to memory of 552	2728	tewu.exe	106
PID 2728 wrote to memory of 552	2728	tewu.exe	106
PID 2728 wrote to memory of 552	2728	tewu.exe	106
PID 2728 wrote to memory of 552	2728	tewu.exe	106
PID 2728 wrote to memory of 552	2728	tewu.exe	106
PID 2728 wrote to memory of 4968	2728	tewu.exe	107
PID 2728 wrote to memory of 4968	2728	tewu.exe	107
PID 2728 wrote to memory of 4968	2728	tewu.exe	107
PID 2728 wrote to memory of 4092	2728	tewu.exe	109
PID 2728 wrote to memory of 4092	2728	tewu.exe	109
PID 2728 wrote to memory of 4092	2728	tewu.exe	109
PID 2728 wrote to memory of 3468	2728	tewu.exe	111
PID 2728 wrote to memory of 3468	2728	tewu.exe	111
PID 2728 wrote to memory of 3468	2728	tewu.exe	111
PID 4092 wrote to memory of 4928	4092	cmd.exe	114
PID 4092 wrote to memory of 4928	4092	cmd.exe	114
PID 4092 wrote to memory of 4928	4092	cmd.exe	114
PID 2620 wrote to memory of 1688	2620	tewu.exe	121
PID 2620 wrote to memory of 1688	2620	tewu.exe	121
PID 2620 wrote to memory of 1688	2620	tewu.exe	121
PID 2620 wrote to memory of 1688	2620	tewu.exe	121
PID 2620 wrote to memory of 1688	2620	tewu.exe	121
PID 2620 wrote to memory of 1688	2620	tewu.exe	121
PID 2620 wrote to memory of 1688	2620	tewu.exe	121
PID 2620 wrote to memory of 1688	2620	tewu.exe	121
PID 2620 wrote to memory of 1688	2620	tewu.exe	121
PID 2620 wrote to memory of 1688	2620	tewu.exe	121
PID 2620 wrote to memory of 1688	2620	tewu.exe	121
PID 2620 wrote to memory of 3928	2620	tewu.exe	122
PID 2620 wrote to memory of 3928	2620	tewu.exe	122
PID 2620 wrote to memory of 3928	2620	tewu.exe	122
PID 2620 wrote to memory of 4120	2620	tewu.exe	123
PID 2620 wrote to memory of 4120	2620	tewu.exe	123
PID 2620 wrote to memory of 4120	2620	tewu.exe	123
PID 2620 wrote to memory of 3656	2620	tewu.exe	125

C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe
"C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 188
    3⤵
    - Program crash
    PID:1972
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
  2⤵
  PID:752
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
  2⤵
  PID:4092
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3124 -ip 3124
1⤵
PID:320

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 188
    3⤵
    - Program crash
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
  2⤵
  PID:4968
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4928
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
  2⤵
  PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 552 -ip 552
1⤵
PID:3020

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 188
    3⤵
    - Program crash
    PID:3608
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
  2⤵
  PID:3928
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
  2⤵
  PID:4120
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4920
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
  2⤵
  PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1688 -ip 1688
1⤵
PID:2708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tewu.exe.log

Filesize
517B

MD5
13f84b613e6a4dd2d82f7c44b2295a04

SHA1
f9e07213c2825ecb28e732f3e66e07625747c4b3

SHA256
d9c52c1eb0b6a04d3495ab971da2c6d01b0964a8b04fd173bfb351820b255c33

SHA512
3a2aca3d21bff43e36de5d9c97b0d1a9c972ee5ab0d9322a3615c0820042a7c9c4c0f2d41522fb4f2347b9a1679b63c91dcf5dc75444ba64c736e2cdcf10ee7d

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe

Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe

Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe

Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
memory/552-153-0x0000000000B00000-0x0000000000ECE000-memory.dmp

Filesize
3.8MB

Download
memory/552-157-0x0000000000B00000-0x0000000000ECE000-memory.dmp

Filesize
3.8MB

Download
memory/1688-165-0x0000000001200000-0x00000000015CE000-memory.dmp

Filesize
3.8MB

Download
memory/1688-169-0x0000000001200000-0x00000000015CE000-memory.dmp

Filesize
3.8MB

Download
memory/3124-144-0x0000000001100000-0x00000000014CE000-memory.dmp

Filesize
3.8MB

Download
memory/3124-140-0x0000000001100000-0x00000000014CE000-memory.dmp

Filesize
3.8MB

Download
memory/3124-135-0x0000000001100000-0x00000000014CE000-memory.dmp

Filesize
3.8MB

Download
memory/5024-133-0x0000000000770000-0x0000000000B44000-memory.dmp

Filesize
3.8MB

Download
memory/5024-134-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads