bitrat | 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

General

Target

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe
Size

3.8MB
MD5

d07b7112b39c9eee7eaeba1adb099543
SHA1

1df70cc161540228240e1dde290ac2f5efcfbb0c
SHA256

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a
SHA512

9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135
SSDEEP

98304:cCtEONaf1kMdpRfZJDRJwdaUNa8gPgEICG6x098gJ2uCB9Ml:RE0UkkHRJuNawLCG6x+8gJFm

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

74.201.28.92:3569

Attributes

communication_password
148b191cf4e80b549e1b1a4444f2bdf6
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 2 IoCs

Processes:

tewu.exetewu.exe

pid process

3056 tewu.exe
836 tewu.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3056	tewu.exe
836	tewu.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exetewu.exetewu.exe

description	pid	process	target process
PID 2100 set thread context of 3480	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 3056 set thread context of 4656	3056	tewu.exe	vbc.exe
PID 836 set thread context of 3976	836	tewu.exe	vbc.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1260 3480 WerFault.exe vbc.exe
3804 4656 WerFault.exe vbc.exe
4212 3976 WerFault.exe vbc.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4684 schtasks.exe
1788 schtasks.exe
1160 schtasks.exe

pid	pid_target	process	target process
1260	3480	WerFault.exe	vbc.exe
3804	4656	WerFault.exe	vbc.exe
4212	3976	WerFault.exe	vbc.exe

pid	process
4684	schtasks.exe
1788	schtasks.exe
1160	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.execmd.exetewu.execmd.exetewu.exe

description	pid	process	target process
PID 2100 wrote to memory of 3480	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 2100 wrote to memory of 3480	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 2100 wrote to memory of 3480	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 2100 wrote to memory of 3480	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 2100 wrote to memory of 3480	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 2100 wrote to memory of 3480	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 2100 wrote to memory of 3480	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 2100 wrote to memory of 3480	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 2100 wrote to memory of 3480	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 2100 wrote to memory of 3480	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 2100 wrote to memory of 3480	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	vbc.exe
PID 2100 wrote to memory of 1400	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 2100 wrote to memory of 1400	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 2100 wrote to memory of 1400	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 2100 wrote to memory of 2736	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 2100 wrote to memory of 2736	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 2100 wrote to memory of 2736	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 2100 wrote to memory of 4880	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 2100 wrote to memory of 4880	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 2100 wrote to memory of 4880	2100	1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe	cmd.exe
PID 2736 wrote to memory of 1788	2736	cmd.exe	schtasks.exe
PID 2736 wrote to memory of 1788	2736	cmd.exe	schtasks.exe
PID 2736 wrote to memory of 1788	2736	cmd.exe	schtasks.exe
PID 3056 wrote to memory of 4656	3056	tewu.exe	vbc.exe
PID 3056 wrote to memory of 4656	3056	tewu.exe	vbc.exe
PID 3056 wrote to memory of 4656	3056	tewu.exe	vbc.exe
PID 3056 wrote to memory of 4656	3056	tewu.exe	vbc.exe
PID 3056 wrote to memory of 4656	3056	tewu.exe	vbc.exe
PID 3056 wrote to memory of 4656	3056	tewu.exe	vbc.exe
PID 3056 wrote to memory of 4656	3056	tewu.exe	vbc.exe
PID 3056 wrote to memory of 4656	3056	tewu.exe	vbc.exe
PID 3056 wrote to memory of 4656	3056	tewu.exe	vbc.exe
PID 3056 wrote to memory of 4656	3056	tewu.exe	vbc.exe
PID 3056 wrote to memory of 4656	3056	tewu.exe	vbc.exe
PID 3056 wrote to memory of 3980	3056	tewu.exe	cmd.exe
PID 3056 wrote to memory of 3980	3056	tewu.exe	cmd.exe
PID 3056 wrote to memory of 3980	3056	tewu.exe	cmd.exe
PID 3056 wrote to memory of 3964	3056	tewu.exe	cmd.exe
PID 3056 wrote to memory of 3964	3056	tewu.exe	cmd.exe
PID 3056 wrote to memory of 3964	3056	tewu.exe	cmd.exe
PID 3056 wrote to memory of 4504	3056	tewu.exe	cmd.exe
PID 3056 wrote to memory of 4504	3056	tewu.exe	cmd.exe
PID 3056 wrote to memory of 4504	3056	tewu.exe	cmd.exe
PID 3964 wrote to memory of 1160	3964	cmd.exe	schtasks.exe
PID 3964 wrote to memory of 1160	3964	cmd.exe	schtasks.exe
PID 3964 wrote to memory of 1160	3964	cmd.exe	schtasks.exe
PID 836 wrote to memory of 3976	836	tewu.exe	vbc.exe
PID 836 wrote to memory of 3976	836	tewu.exe	vbc.exe
PID 836 wrote to memory of 3976	836	tewu.exe	vbc.exe
PID 836 wrote to memory of 3976	836	tewu.exe	vbc.exe
PID 836 wrote to memory of 3976	836	tewu.exe	vbc.exe
PID 836 wrote to memory of 3976	836	tewu.exe	vbc.exe
PID 836 wrote to memory of 3976	836	tewu.exe	vbc.exe
PID 836 wrote to memory of 3976	836	tewu.exe	vbc.exe
PID 836 wrote to memory of 3976	836	tewu.exe	vbc.exe
PID 836 wrote to memory of 3976	836	tewu.exe	vbc.exe
PID 836 wrote to memory of 3976	836	tewu.exe	vbc.exe
PID 836 wrote to memory of 3812	836	tewu.exe	cmd.exe
PID 836 wrote to memory of 3812	836	tewu.exe	cmd.exe
PID 836 wrote to memory of 3812	836	tewu.exe	cmd.exe
PID 836 wrote to memory of 1044	836	tewu.exe	cmd.exe
PID 836 wrote to memory of 1044	836	tewu.exe	cmd.exe
PID 836 wrote to memory of 1044	836	tewu.exe	cmd.exe
PID 836 wrote to memory of 4204	836	tewu.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe
"C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 188
3⤵
- Program crash
PID:1260

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
2⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
2⤵
PID:4880

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3480 -ip 3480
1⤵
PID:1380

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 188
3⤵
- Program crash
PID:3804

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
2⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1160

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
2⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4656 -ip 4656
1⤵
PID:4752

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 188
3⤵
- Program crash
PID:4212

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
2⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
2⤵
PID:1044

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4684

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
2⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3976 -ip 3976
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tewu.exe.log

Filesize
517B

MD5
13f84b613e6a4dd2d82f7c44b2295a04

SHA1
f9e07213c2825ecb28e732f3e66e07625747c4b3

SHA256
d9c52c1eb0b6a04d3495ab971da2c6d01b0964a8b04fd173bfb351820b255c33

SHA512
3a2aca3d21bff43e36de5d9c97b0d1a9c972ee5ab0d9322a3615c0820042a7c9c4c0f2d41522fb4f2347b9a1679b63c91dcf5dc75444ba64c736e2cdcf10ee7d

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe

Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe

Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe

Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
memory/836-164-0x0000000005C40000-0x0000000005C50000-memory.dmp

Filesize
64KB

Download
memory/2100-134-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/2100-133-0x0000000000A70000-0x0000000000E44000-memory.dmp

Filesize
3.8MB

Download
memory/3056-151-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/3480-141-0x0000000000FA0000-0x000000000136E000-memory.dmp

Filesize
3.8MB

Download
memory/3480-145-0x0000000000FA0000-0x000000000136E000-memory.dmp

Filesize
3.8MB

Download
memory/3480-136-0x0000000000FA0000-0x000000000136E000-memory.dmp

Filesize
3.8MB

Download
memory/3976-174-0x0000000000D00000-0x00000000010CE000-memory.dmp

Filesize
3.8MB

Download
memory/4656-161-0x0000000000D00000-0x00000000010CE000-memory.dmp

Filesize
3.8MB

Download
memory/4656-156-0x0000000000D00000-0x00000000010CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads