bitrat | 680493394907af7edb8c6c3c80d04561d7e597ad751900fb064af285e7aaf57b

Analysis

max time kernel
188s
max time network
210s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
25-05-2023 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

680493394907af7edb8c6c3c80d04561d7e597ad751900fb064af285e7aaf57b.exe
Size

3.2MB
MD5

af19789d0289ff3e415dd28e6cfa4a92
SHA1

c71c49ddc98dea032688c80d253e36efc3541bbc
SHA256

680493394907af7edb8c6c3c80d04561d7e597ad751900fb064af285e7aaf57b
SHA512

730ee3b6f37b39dbab89d4f4861c420c46f353f00a6065e0b681214bf6e7d0af34eb60e5d2c743a2570a70e2e7d090ca4a7a705c71c97d8eff6f555cf6152972
SSDEEP

49152:meAQahgmy5H5xwSc3qAfWgKn7YtXT8kNEWQ8htSYJF5RnRmMEv9gvB/R6GnpBTeJ:mxO5O3qAfWgKnQwMZQ8/rrR8v9Q7FCyQ

Score

10^/10

bitrat rhadamanthys stealer trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

179.43.142.55:1995

Attributes

communication_password
a76d949640a165da25ccfe9a8fd82c8a
tor_process
tor

Extracted

Family

rhadamanthys

http://163.123.142.243/lekamapopo/6bw0pk.h5m8

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect rhadamanthys stealer shellcode 4 IoCs

resource	yara_rule
behavioral1/memory/5072-87-0x0000000002EB0000-0x0000000002ECC000-memory.dmp	family_rhadamanthys
behavioral1/memory/5072-88-0x0000000002EB0000-0x0000000002ECC000-memory.dmp	family_rhadamanthys
behavioral1/memory/5072-89-0x0000000002EB0000-0x0000000002ECC000-memory.dmp	family_rhadamanthys
behavioral1/memory/5072-92-0x0000000002EB0000-0x0000000002ECC000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Blocklisted process makes network request 14 IoCs

flow	pid	Process
5	4624	rundll32.exe
7	4624	rundll32.exe
8	5072	rundll32.exe
9	5072	rundll32.exe
15	5072	rundll32.exe
16	5072	rundll32.exe
17	4624	rundll32.exe
18	5072	rundll32.exe
19	5072	rundll32.exe
20	5072	rundll32.exe
22	5072	rundll32.exe
23	4624	rundll32.exe
24	5072	rundll32.exe
28	5072	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
5084	rundll32.exe
2960	rundll32.exe
4668	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4624	rundll32.exe
4624	rundll32.exe
4624	rundll32.exe
4624	rundll32.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 5084 set thread context of 4624	5084	rundll32.exe	74
PID 5084 set thread context of 4624	5084	rundll32.exe	74
PID 5084 set thread context of 4624	5084	rundll32.exe	74
PID 4668 set thread context of 5072	4668	rundll32.exe	75
PID 4668 set thread context of 5072	4668	rundll32.exe	75
PID 4668 set thread context of 5072	4668	rundll32.exe	75
PID 2960 set thread context of 4932	2960	rundll32.exe	77
PID 2960 set thread context of 4932	2960	rundll32.exe	77
PID 2960 set thread context of 4932	2960	rundll32.exe	77

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4624	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4624	rundll32.exe
4624	rundll32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 5084	2316	680493394907af7edb8c6c3c80d04561d7e597ad751900fb064af285e7aaf57b.exe	70
PID 2316 wrote to memory of 5084	2316	680493394907af7edb8c6c3c80d04561d7e597ad751900fb064af285e7aaf57b.exe	70
PID 2316 wrote to memory of 5084	2316	680493394907af7edb8c6c3c80d04561d7e597ad751900fb064af285e7aaf57b.exe	70
PID 2316 wrote to memory of 2960	2316	680493394907af7edb8c6c3c80d04561d7e597ad751900fb064af285e7aaf57b.exe	71
PID 2316 wrote to memory of 2960	2316	680493394907af7edb8c6c3c80d04561d7e597ad751900fb064af285e7aaf57b.exe	71
PID 2316 wrote to memory of 2960	2316	680493394907af7edb8c6c3c80d04561d7e597ad751900fb064af285e7aaf57b.exe	71
PID 2316 wrote to memory of 4668	2316	680493394907af7edb8c6c3c80d04561d7e597ad751900fb064af285e7aaf57b.exe	72
PID 2316 wrote to memory of 4668	2316	680493394907af7edb8c6c3c80d04561d7e597ad751900fb064af285e7aaf57b.exe	72
PID 2316 wrote to memory of 4668	2316	680493394907af7edb8c6c3c80d04561d7e597ad751900fb064af285e7aaf57b.exe	72
PID 5084 wrote to memory of 4624	5084	rundll32.exe	74
PID 5084 wrote to memory of 4624	5084	rundll32.exe	74
PID 5084 wrote to memory of 4624	5084	rundll32.exe	74
PID 5084 wrote to memory of 4624	5084	rundll32.exe	74
PID 5084 wrote to memory of 4624	5084	rundll32.exe	74
PID 5084 wrote to memory of 4624	5084	rundll32.exe	74
PID 5084 wrote to memory of 4624	5084	rundll32.exe	74
PID 4668 wrote to memory of 5072	4668	rundll32.exe	75
PID 4668 wrote to memory of 5072	4668	rundll32.exe	75
PID 4668 wrote to memory of 5072	4668	rundll32.exe	75
PID 4668 wrote to memory of 5072	4668	rundll32.exe	75
PID 4668 wrote to memory of 5072	4668	rundll32.exe	75
PID 4668 wrote to memory of 5072	4668	rundll32.exe	75
PID 4668 wrote to memory of 5072	4668	rundll32.exe	75
PID 2960 wrote to memory of 4932	2960	rundll32.exe	77
PID 2960 wrote to memory of 4932	2960	rundll32.exe	77
PID 2960 wrote to memory of 4932	2960	rundll32.exe	77
PID 2960 wrote to memory of 4932	2960	rundll32.exe	77
PID 2960 wrote to memory of 4932	2960	rundll32.exe	77
PID 2960 wrote to memory of 4932	2960	rundll32.exe	77
PID 2960 wrote to memory of 4932	2960	rundll32.exe	77

C:\Users\Admin\AppData\Local\Temp\680493394907af7edb8c6c3c80d04561d7e597ad751900fb064af285e7aaf57b.exe
"C:\Users\Admin\AppData\Local\Temp\680493394907af7edb8c6c3c80d04561d7e597ad751900fb064af285e7aaf57b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 zlib1.dll,gzungetc
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4624
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 zlib32.dll,gzungetc
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\WerFault.exe
    "C:\Windows\System32\WerFault.exe"
    3⤵
    PID:4932
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 zlib64.dll,gzungetc
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe"
    3⤵
    - Blocklisted process makes network request
    PID:5072

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ArmadDispleynetwo\ArmadDispleynetwo.exe

Filesize
59KB

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\ProgramData\ElrSoundDisplayHelper\ElrSoundDisplayHelper.exe

Filesize
59KB

MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Freasntmp\zlib1.dll

Filesize
2.6MB

MD5
82800db9f991ebe0957d1c2b22baaa3f

SHA1
8dd9e22a89402be5cdeaeb287c19587047b8d4e8

SHA256
431a296814439b6b6edd4fe155b7ef03d3ac7bf26b9c85632d5ffedea28d6122

SHA512
f5a0a82dc1ebb8b74727e8ed5e984b634e123be70e4a55a6c6138902eda9899678407cb47c12c3143bbcfd5555250626a9ae4459e81a634ef8b678d3101576f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Freasntmp\zlib32.dll

Filesize
241KB

MD5
170ecc123e06d6ceb27318b720a32897

SHA1
458e3faf27edbe7eb93ed3edc50ef65bf8db204b

SHA256
65de3437c7f6bf4a2ceb2c0ef3aa46ad82687a76b7c609f8b39ceb937e899a23

SHA512
132fbc05ff9764c3e5c120222eed7025ccc7727513cd6bb253e2fdcdec88226bb76360b7c5193197ffdd1fcf1ff957288dbe34527bcccf9e9509accdfc66d12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Freasntmp\zlib64.dll

Filesize
399KB

MD5
8bc379e8f3d3a9921ded76ce8346d098

SHA1
6fa2ee7ce9b15e758ed9e9fcccf4df8b9e46089f

SHA256
7e8b7219994c2076f5413b067da77a640b432b4472d8765ec71f5ff75ac9ae68

SHA512
a149ba05408a91b4d99feaec26112680b8e9e00bf252ac4c2dbe02fdce81307fce1abc95bbdaeb3fc207a094de7053a6235f9f0f02fb208f5ab2673d0b60bd84

Download Submit
\Users\Admin\AppData\Local\Temp\Freasntmp\zlib1.dll

Filesize
2.6MB

MD5
82800db9f991ebe0957d1c2b22baaa3f

SHA1
8dd9e22a89402be5cdeaeb287c19587047b8d4e8

SHA256
431a296814439b6b6edd4fe155b7ef03d3ac7bf26b9c85632d5ffedea28d6122

SHA512
f5a0a82dc1ebb8b74727e8ed5e984b634e123be70e4a55a6c6138902eda9899678407cb47c12c3143bbcfd5555250626a9ae4459e81a634ef8b678d3101576f4

Download Submit
\Users\Admin\AppData\Local\Temp\Freasntmp\zlib32.dll

Filesize
241KB

MD5
170ecc123e06d6ceb27318b720a32897

SHA1
458e3faf27edbe7eb93ed3edc50ef65bf8db204b

SHA256
65de3437c7f6bf4a2ceb2c0ef3aa46ad82687a76b7c609f8b39ceb937e899a23

SHA512
132fbc05ff9764c3e5c120222eed7025ccc7727513cd6bb253e2fdcdec88226bb76360b7c5193197ffdd1fcf1ff957288dbe34527bcccf9e9509accdfc66d12f

Download Submit
\Users\Admin\AppData\Local\Temp\Freasntmp\zlib64.dll

Filesize
399KB

MD5
8bc379e8f3d3a9921ded76ce8346d098

SHA1
6fa2ee7ce9b15e758ed9e9fcccf4df8b9e46089f

SHA256
7e8b7219994c2076f5413b067da77a640b432b4472d8765ec71f5ff75ac9ae68

SHA512
a149ba05408a91b4d99feaec26112680b8e9e00bf252ac4c2dbe02fdce81307fce1abc95bbdaeb3fc207a094de7053a6235f9f0f02fb208f5ab2673d0b60bd84

Download Submit
memory/2960-12-0x0000000062E80000-0x0000000062EC4000-memory.dmp

Filesize
272KB

Download
memory/2960-57-0x0000000062E80000-0x0000000062EC4000-memory.dmp

Filesize
272KB

Download
memory/4624-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-32-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-41-0x0000000072880000-0x00000000728BA000-memory.dmp

Filesize
232KB

Download
memory/4624-42-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-40-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-39-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-43-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-94-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-45-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-46-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-47-0x0000000072860000-0x000000007289A000-memory.dmp

Filesize
232KB

Download
memory/4624-95-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-28-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/4624-96-0x0000000072830000-0x000000007286A000-memory.dmp

Filesize
232KB

Download
memory/4624-101-0x0000000072830000-0x000000007286A000-memory.dmp

Filesize
232KB

Download
memory/4624-100-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-102-0x0000000072830000-0x000000007286A000-memory.dmp

Filesize
232KB

Download
memory/4624-97-0x0000000072880000-0x00000000728BA000-memory.dmp

Filesize
232KB

Download
memory/4624-98-0x0000000072860000-0x000000007289A000-memory.dmp

Filesize
232KB

Download
memory/4624-82-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-83-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4624-84-0x0000000072830000-0x000000007286A000-memory.dmp

Filesize
232KB

Download
memory/4624-99-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4668-19-0x0000000062E80000-0x0000000062EEC000-memory.dmp

Filesize
432KB

Download
memory/4668-49-0x0000000062E80000-0x0000000062EEC000-memory.dmp

Filesize
432KB

Download
memory/4932-78-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4932-71-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5072-50-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5072-91-0x0000000002FF0000-0x00000000030F0000-memory.dmp

Filesize
1024KB

Download
memory/5072-92-0x0000000002EB0000-0x0000000002ECC000-memory.dmp

Filesize
112KB

Download
memory/5072-90-0x0000000002FF0000-0x00000000030F0000-memory.dmp

Filesize
1024KB

Download
memory/5072-89-0x0000000002EB0000-0x0000000002ECC000-memory.dmp

Filesize
112KB

Download
memory/5072-88-0x0000000002EB0000-0x0000000002ECC000-memory.dmp

Filesize
112KB

Download
memory/5072-87-0x0000000002EB0000-0x0000000002ECC000-memory.dmp

Filesize
112KB

Download
memory/5072-86-0x0000000002FF0000-0x00000000030F0000-memory.dmp

Filesize
1024KB

Download
memory/5072-85-0x0000000002FF0000-0x00000000030F0000-memory.dmp

Filesize
1024KB

Download
memory/5072-63-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5072-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5084-8-0x0000000062E80000-0x000000006311F000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads