bitrat | 954226b2a3caf5b0a7924bdfdcd4f6a551d04f9ed25924c4081c3f749a1ce020

General

Target

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe
Size

3.8MB
MD5

d07b7112b39c9eee7eaeba1adb099543
SHA1

1df70cc161540228240e1dde290ac2f5efcfbb0c
SHA256

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA512

9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
SSDEEP

98304:cCtEONaf1kMdpRfZJDRJwdaUNa8gPgEICG6x098gJ2uCB9Ml:RE0UkkHRJuNawLCG6x+8gJFm

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

74.201.28.92:3569

Attributes

communication_password
148b191cf4e80b549e1b1a4444f2bdf6
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

tewu.exetewu.exe

pid process

2728 tewu.exe
2620 tewu.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2728	tewu.exe
2620	tewu.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exetewu.exetewu.exe

description	pid	process	target process
PID 5024 set thread context of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 2728 set thread context of 552	2728	tewu.exe	vbc.exe
PID 2620 set thread context of 1688	2620	tewu.exe	vbc.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1972 3124 WerFault.exe vbc.exe
2628 552 WerFault.exe vbc.exe
3608 1688 WerFault.exe vbc.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4600 schtasks.exe
4928 schtasks.exe
4920 schtasks.exe

pid	pid_target	process	target process
1972	3124	WerFault.exe	vbc.exe
2628	552	WerFault.exe	vbc.exe
3608	1688	WerFault.exe	vbc.exe

pid	process
4600	schtasks.exe
4928	schtasks.exe
4920	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.execmd.exetewu.execmd.exetewu.exe

description	pid	process	target process
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 5024 wrote to memory of 3124	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 5024 wrote to memory of 752	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 5024 wrote to memory of 752	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 5024 wrote to memory of 752	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 5024 wrote to memory of 3876	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 5024 wrote to memory of 3876	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 5024 wrote to memory of 3876	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 5024 wrote to memory of 4092	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 5024 wrote to memory of 4092	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 5024 wrote to memory of 4092	5024	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 3876 wrote to memory of 4600	3876	cmd.exe	schtasks.exe
PID 3876 wrote to memory of 4600	3876	cmd.exe	schtasks.exe
PID 3876 wrote to memory of 4600	3876	cmd.exe	schtasks.exe
PID 2728 wrote to memory of 552	2728	tewu.exe	vbc.exe
PID 2728 wrote to memory of 552	2728	tewu.exe	vbc.exe
PID 2728 wrote to memory of 552	2728	tewu.exe	vbc.exe
PID 2728 wrote to memory of 552	2728	tewu.exe	vbc.exe
PID 2728 wrote to memory of 552	2728	tewu.exe	vbc.exe
PID 2728 wrote to memory of 552	2728	tewu.exe	vbc.exe
PID 2728 wrote to memory of 552	2728	tewu.exe	vbc.exe
PID 2728 wrote to memory of 552	2728	tewu.exe	vbc.exe
PID 2728 wrote to memory of 552	2728	tewu.exe	vbc.exe
PID 2728 wrote to memory of 552	2728	tewu.exe	vbc.exe
PID 2728 wrote to memory of 552	2728	tewu.exe	vbc.exe
PID 2728 wrote to memory of 4968	2728	tewu.exe	cmd.exe
PID 2728 wrote to memory of 4968	2728	tewu.exe	cmd.exe
PID 2728 wrote to memory of 4968	2728	tewu.exe	cmd.exe
PID 2728 wrote to memory of 4092	2728	tewu.exe	cmd.exe
PID 2728 wrote to memory of 4092	2728	tewu.exe	cmd.exe
PID 2728 wrote to memory of 4092	2728	tewu.exe	cmd.exe
PID 2728 wrote to memory of 3468	2728	tewu.exe	cmd.exe
PID 2728 wrote to memory of 3468	2728	tewu.exe	cmd.exe
PID 2728 wrote to memory of 3468	2728	tewu.exe	cmd.exe
PID 4092 wrote to memory of 4928	4092	cmd.exe	schtasks.exe
PID 4092 wrote to memory of 4928	4092	cmd.exe	schtasks.exe
PID 4092 wrote to memory of 4928	4092	cmd.exe	schtasks.exe
PID 2620 wrote to memory of 1688	2620	tewu.exe	vbc.exe
PID 2620 wrote to memory of 1688	2620	tewu.exe	vbc.exe
PID 2620 wrote to memory of 1688	2620	tewu.exe	vbc.exe
PID 2620 wrote to memory of 1688	2620	tewu.exe	vbc.exe
PID 2620 wrote to memory of 1688	2620	tewu.exe	vbc.exe
PID 2620 wrote to memory of 1688	2620	tewu.exe	vbc.exe
PID 2620 wrote to memory of 1688	2620	tewu.exe	vbc.exe
PID 2620 wrote to memory of 1688	2620	tewu.exe	vbc.exe
PID 2620 wrote to memory of 1688	2620	tewu.exe	vbc.exe
PID 2620 wrote to memory of 1688	2620	tewu.exe	vbc.exe
PID 2620 wrote to memory of 1688	2620	tewu.exe	vbc.exe
PID 2620 wrote to memory of 3928	2620	tewu.exe	cmd.exe
PID 2620 wrote to memory of 3928	2620	tewu.exe	cmd.exe
PID 2620 wrote to memory of 3928	2620	tewu.exe	cmd.exe
PID 2620 wrote to memory of 4120	2620	tewu.exe	cmd.exe
PID 2620 wrote to memory of 4120	2620	tewu.exe	cmd.exe
PID 2620 wrote to memory of 4120	2620	tewu.exe	cmd.exe
PID 2620 wrote to memory of 3656	2620	tewu.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe
"C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 188
3⤵
- Program crash
PID:1972

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
2⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
2⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3124 -ip 3124
1⤵
PID:320

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 188
3⤵
- Program crash
PID:2628

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
2⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4928

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
2⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 552 -ip 552
1⤵
PID:3020

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 188
3⤵
- Program crash
PID:3608

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
2⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
2⤵
PID:4120

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4920

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
2⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1688 -ip 1688
1⤵
PID:2708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tewu.exe.log

Filesize
517B

MD5
13f84b613e6a4dd2d82f7c44b2295a04

SHA1
f9e07213c2825ecb28e732f3e66e07625747c4b3

SHA256
d9c52c1eb0b6a04d3495ab971da2c6d01b0964a8b04fd173bfb351820b255c33

SHA512
3a2aca3d21bff43e36de5d9c97b0d1a9c972ee5ab0d9322a3615c0820042a7c9c4c0f2d41522fb4f2347b9a1679b63c91dcf5dc75444ba64c736e2cdcf10ee7d

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe

Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe

Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe

Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
memory/552-153-0x0000000000B00000-0x0000000000ECE000-memory.dmp

Filesize
3.8MB

Download
memory/552-157-0x0000000000B00000-0x0000000000ECE000-memory.dmp

Filesize
3.8MB

Download
memory/1688-165-0x0000000001200000-0x00000000015CE000-memory.dmp

Filesize
3.8MB

Download
memory/1688-169-0x0000000001200000-0x00000000015CE000-memory.dmp

Filesize
3.8MB

Download
memory/3124-144-0x0000000001100000-0x00000000014CE000-memory.dmp

Filesize
3.8MB

Download
memory/3124-140-0x0000000001100000-0x00000000014CE000-memory.dmp

Filesize
3.8MB

Download
memory/3124-135-0x0000000001100000-0x00000000014CE000-memory.dmp

Filesize
3.8MB

Download
memory/5024-133-0x0000000000770000-0x0000000000B44000-memory.dmp

Filesize
3.8MB

Download
memory/5024-134-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads