bitrat | 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-04-2023 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe
Size

3.8MB
MD5

d07b7112b39c9eee7eaeba1adb099543
SHA1

1df70cc161540228240e1dde290ac2f5efcfbb0c
SHA256

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA512

9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
SSDEEP

98304:cCtEONaf1kMdpRfZJDRJwdaUNa8gPgEICG6x098gJ2uCB9Ml:RE0UkkHRJuNawLCG6x+8gJFm

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

74.201.28.92:3569

Attributes

communication_password
148b191cf4e80b549e1b1a4444f2bdf6
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

tewu.exetewu.exe

pid process

1240 tewu.exe
1324 tewu.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

1940 vbc.exe
1940 vbc.exe
1940 vbc.exe
1940 vbc.exe
1268 vbc.exe
1140 vbc.exe

pid	process
1240	tewu.exe
1324	tewu.exe

pid	process
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1268	vbc.exe
1140	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exetewu.exetewu.exe

description	pid	process	target process
PID 1988 set thread context of 1940	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1240 set thread context of 1268	1240	tewu.exe	vbc.exe
PID 1324 set thread context of 1140	1324	tewu.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1664 schtasks.exe
1736 schtasks.exe
1328 schtasks.exe

pid	process
1664	schtasks.exe
1736	schtasks.exe
1328	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1940	vbc.exe
Token: SeShutdownPrivilege	1940	vbc.exe
Token: SeDebugPrivilege	1268	vbc.exe
Token: SeShutdownPrivilege	1268	vbc.exe
Token: SeDebugPrivilege	1140	vbc.exe
Token: SeShutdownPrivilege	1140	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exe

pid process

1940 vbc.exe
1940 vbc.exe

pid	process
1940	vbc.exe
1940	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.execmd.exetaskeng.exetewu.execmd.exe

description	pid	process	target process
PID 1988 wrote to memory of 1940	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1988 wrote to memory of 1940	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1988 wrote to memory of 1940	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1988 wrote to memory of 1940	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1988 wrote to memory of 1940	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1988 wrote to memory of 1940	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1988 wrote to memory of 1940	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1988 wrote to memory of 1940	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1988 wrote to memory of 1940	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1988 wrote to memory of 1940	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1988 wrote to memory of 1940	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1988 wrote to memory of 1940	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 1988 wrote to memory of 1324	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1988 wrote to memory of 1324	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1988 wrote to memory of 1324	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1988 wrote to memory of 1324	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1988 wrote to memory of 1088	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1988 wrote to memory of 1088	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1988 wrote to memory of 1088	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1988 wrote to memory of 1088	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1988 wrote to memory of 1140	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1988 wrote to memory of 1140	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1988 wrote to memory of 1140	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1988 wrote to memory of 1140	1988	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 1088 wrote to memory of 1664	1088	cmd.exe	schtasks.exe
PID 1088 wrote to memory of 1664	1088	cmd.exe	schtasks.exe
PID 1088 wrote to memory of 1664	1088	cmd.exe	schtasks.exe
PID 1088 wrote to memory of 1664	1088	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 1240	1144	taskeng.exe	tewu.exe
PID 1144 wrote to memory of 1240	1144	taskeng.exe	tewu.exe
PID 1144 wrote to memory of 1240	1144	taskeng.exe	tewu.exe
PID 1144 wrote to memory of 1240	1144	taskeng.exe	tewu.exe
PID 1240 wrote to memory of 1268	1240	tewu.exe	vbc.exe
PID 1240 wrote to memory of 1268	1240	tewu.exe	vbc.exe
PID 1240 wrote to memory of 1268	1240	tewu.exe	vbc.exe
PID 1240 wrote to memory of 1268	1240	tewu.exe	vbc.exe
PID 1240 wrote to memory of 1268	1240	tewu.exe	vbc.exe
PID 1240 wrote to memory of 1268	1240	tewu.exe	vbc.exe
PID 1240 wrote to memory of 1268	1240	tewu.exe	vbc.exe
PID 1240 wrote to memory of 1268	1240	tewu.exe	vbc.exe
PID 1240 wrote to memory of 1268	1240	tewu.exe	vbc.exe
PID 1240 wrote to memory of 1268	1240	tewu.exe	vbc.exe
PID 1240 wrote to memory of 1268	1240	tewu.exe	vbc.exe
PID 1240 wrote to memory of 1268	1240	tewu.exe	vbc.exe
PID 1240 wrote to memory of 1912	1240	tewu.exe	cmd.exe
PID 1240 wrote to memory of 1912	1240	tewu.exe	cmd.exe
PID 1240 wrote to memory of 1912	1240	tewu.exe	cmd.exe
PID 1240 wrote to memory of 1912	1240	tewu.exe	cmd.exe
PID 1240 wrote to memory of 1000	1240	tewu.exe	cmd.exe
PID 1240 wrote to memory of 1000	1240	tewu.exe	cmd.exe
PID 1240 wrote to memory of 1000	1240	tewu.exe	cmd.exe
PID 1240 wrote to memory of 1000	1240	tewu.exe	cmd.exe
PID 1240 wrote to memory of 800	1240	tewu.exe	cmd.exe
PID 1240 wrote to memory of 800	1240	tewu.exe	cmd.exe
PID 1240 wrote to memory of 800	1240	tewu.exe	cmd.exe
PID 1240 wrote to memory of 800	1240	tewu.exe	cmd.exe
PID 1000 wrote to memory of 1736	1000	cmd.exe	schtasks.exe
PID 1000 wrote to memory of 1736	1000	cmd.exe	schtasks.exe
PID 1000 wrote to memory of 1736	1000	cmd.exe	schtasks.exe
PID 1000 wrote to memory of 1736	1000	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 1324	1144	taskeng.exe	tewu.exe
PID 1144 wrote to memory of 1324	1144	taskeng.exe	tewu.exe
PID 1144 wrote to memory of 1324	1144	taskeng.exe	tewu.exe
PID 1144 wrote to memory of 1324	1144	taskeng.exe	tewu.exe

C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe
"C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1940

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
2⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1664

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
2⤵
PID:1140

C:\Windows\system32\taskeng.exe
taskeng.exe {CB6FD2FA-02CE-4455-97BA-7B66B874A708} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
3⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1736

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
3⤵
PID:800

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
3⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
PID:436

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1328

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
3⤵
PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe

Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe

Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe

Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
memory/1140-121-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1140-119-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1240-85-0x0000000001330000-0x0000000001704000-memory.dmp

Filesize
3.8MB

Download
memory/1268-99-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1268-97-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1324-107-0x0000000001330000-0x0000000001704000-memory.dmp

Filesize
3.8MB

Download
memory/1940-80-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-60-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-66-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-69-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-71-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-72-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-73-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-74-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-75-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-76-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-77-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-78-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-79-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-127-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-81-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-82-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-63-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-61-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-62-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1940-126-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-59-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-100-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-101-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-102-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-103-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-104-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-105-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-58-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-57-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-56-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-55-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-122-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-123-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-124-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1940-125-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1988-64-0x00000000006F0000-0x0000000000730000-memory.dmp

Filesize
256KB

Download
memory/1988-54-0x0000000000CE0000-0x00000000010B4000-memory.dmp

Filesize
3.8MB

Download