bitrat | 719548921d3a99d8bf31d9c2d543803c0c39a620a8386f8ac557b7ebe5d024d2

General

Target

FAVOR DE RECTIFICAR.scr.exe
Size

2.1MB
MD5

63e1c29b4c151caf92970fbaf8e0c2a7
SHA1

896386e7fd8d86ab3819598f4a549e61b919eee4
SHA256

719548921d3a99d8bf31d9c2d543803c0c39a620a8386f8ac557b7ebe5d024d2
SHA512

246d12288e1426b0aa0b53c69efa9fa80781ffdc4394b761ea35f4dae19618b20d7d80402d3edd5d258acbe69c6f8e4640d3d21ba460653383e1408d8d3d9a75
SSDEEP

49152:GCO1NlTK6quyJYbwyi0UZTdA71QxlJOJ56eJwzG6hCF98v7:GJATVdA7WtOOeiv7

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitratluckshinjisix130.freeddns.org:7011

Attributes

communication_password
71042e216840c2f1d480e868f387e8db
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Drops startup file 3 IoCs

Processes:

FAVOR DE RECTIFICAR.scr.exe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	FAVOR DE RECTIFICAR.scr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	FAVOR DE RECTIFICAR.scr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe	.exe

Executes dropped EXE 2 IoCs

Processes:

.exe.exe

pid process

1624 .exe
524 .exe
Loads dropped DLL 3 IoCs

Processes:

FAVOR DE RECTIFICAR.scr.exe.exe

pid process

1344 FAVOR DE RECTIFICAR.scr.exe
1344 FAVOR DE RECTIFICAR.scr.exe
1624 .exe

pid	process
1624	.exe
524	.exe

pid	process
1344	FAVOR DE RECTIFICAR.scr.exe
1344	FAVOR DE RECTIFICAR.scr.exe
1624	.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/524-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-73-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-76-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-77-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-75-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-78-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-79-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-80-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-82-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-83-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-84-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-85-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-86-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-87-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-88-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-89-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-93-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-94-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-95-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-102-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-105-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-110-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-115-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-118-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-123-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-126-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-131-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/524-134-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

.exe

pid process

524 .exe
524 .exe
524 .exe
524 .exe
524 .exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

.exe

description pid process target process

PID 1624 set thread context of 524 1624 .exe .exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

.exe

description pid process

Token: SeDebugPrivilege 524 .exe
Token: SeShutdownPrivilege 524 .exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

FAVOR DE RECTIFICAR.scr.exe.exe.exe

pid process

1344 FAVOR DE RECTIFICAR.scr.exe
1624 .exe
524 .exe
524 .exe

pid	process
524	.exe
524	.exe
524	.exe
524	.exe
524	.exe

description	pid	process	target process
PID 1624 set thread context of 524	1624	.exe	.exe

description	pid	process
Token: SeDebugPrivilege	524	.exe
Token: SeShutdownPrivilege	524	.exe

pid	process
1344	FAVOR DE RECTIFICAR.scr.exe
1624	.exe
524	.exe
524	.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

FAVOR DE RECTIFICAR.scr.exe.exe

description	pid	process	target process
PID 1344 wrote to memory of 1624	1344	FAVOR DE RECTIFICAR.scr.exe	.exe
PID 1344 wrote to memory of 1624	1344	FAVOR DE RECTIFICAR.scr.exe	.exe
PID 1344 wrote to memory of 1624	1344	FAVOR DE RECTIFICAR.scr.exe	.exe
PID 1344 wrote to memory of 1624	1344	FAVOR DE RECTIFICAR.scr.exe	.exe
PID 1624 wrote to memory of 524	1624	.exe	.exe
PID 1624 wrote to memory of 524	1624	.exe	.exe
PID 1624 wrote to memory of 524	1624	.exe	.exe
PID 1624 wrote to memory of 524	1624	.exe	.exe
PID 1624 wrote to memory of 524	1624	.exe	.exe
PID 1624 wrote to memory of 524	1624	.exe	.exe
PID 1624 wrote to memory of 524	1624	.exe	.exe
PID 1624 wrote to memory of 524	1624	.exe	.exe

C:\Users\Admin\AppData\Local\Temp\FAVOR DE RECTIFICAR.scr.exe
"C:\Users\Admin\AppData\Local\Temp\FAVOR DE RECTIFICAR.scr.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
Filesize
2.1MB

MD5
63e1c29b4c151caf92970fbaf8e0c2a7

SHA1
896386e7fd8d86ab3819598f4a549e61b919eee4

SHA256
719548921d3a99d8bf31d9c2d543803c0c39a620a8386f8ac557b7ebe5d024d2

SHA512
246d12288e1426b0aa0b53c69efa9fa80781ffdc4394b761ea35f4dae19618b20d7d80402d3edd5d258acbe69c6f8e4640d3d21ba460653383e1408d8d3d9a75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
Filesize
2.1MB

MD5
63e1c29b4c151caf92970fbaf8e0c2a7

SHA1
896386e7fd8d86ab3819598f4a549e61b919eee4

SHA256
719548921d3a99d8bf31d9c2d543803c0c39a620a8386f8ac557b7ebe5d024d2

SHA512
246d12288e1426b0aa0b53c69efa9fa80781ffdc4394b761ea35f4dae19618b20d7d80402d3edd5d258acbe69c6f8e4640d3d21ba460653383e1408d8d3d9a75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
Filesize
2.1MB

MD5
63e1c29b4c151caf92970fbaf8e0c2a7

SHA1
896386e7fd8d86ab3819598f4a549e61b919eee4

SHA256
719548921d3a99d8bf31d9c2d543803c0c39a620a8386f8ac557b7ebe5d024d2

SHA512
246d12288e1426b0aa0b53c69efa9fa80781ffdc4394b761ea35f4dae19618b20d7d80402d3edd5d258acbe69c6f8e4640d3d21ba460653383e1408d8d3d9a75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
Filesize
2.1MB

MD5
63e1c29b4c151caf92970fbaf8e0c2a7

SHA1
896386e7fd8d86ab3819598f4a549e61b919eee4

SHA256
719548921d3a99d8bf31d9c2d543803c0c39a620a8386f8ac557b7ebe5d024d2

SHA512
246d12288e1426b0aa0b53c69efa9fa80781ffdc4394b761ea35f4dae19618b20d7d80402d3edd5d258acbe69c6f8e4640d3d21ba460653383e1408d8d3d9a75

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
Filesize
2.1MB

MD5
63e1c29b4c151caf92970fbaf8e0c2a7

SHA1
896386e7fd8d86ab3819598f4a549e61b919eee4

SHA256
719548921d3a99d8bf31d9c2d543803c0c39a620a8386f8ac557b7ebe5d024d2

SHA512
246d12288e1426b0aa0b53c69efa9fa80781ffdc4394b761ea35f4dae19618b20d7d80402d3edd5d258acbe69c6f8e4640d3d21ba460653383e1408d8d3d9a75

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
Filesize
2.1MB

MD5
63e1c29b4c151caf92970fbaf8e0c2a7

SHA1
896386e7fd8d86ab3819598f4a549e61b919eee4

SHA256
719548921d3a99d8bf31d9c2d543803c0c39a620a8386f8ac557b7ebe5d024d2

SHA512
246d12288e1426b0aa0b53c69efa9fa80781ffdc4394b761ea35f4dae19618b20d7d80402d3edd5d258acbe69c6f8e4640d3d21ba460653383e1408d8d3d9a75

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
Filesize
2.1MB

MD5
63e1c29b4c151caf92970fbaf8e0c2a7

SHA1
896386e7fd8d86ab3819598f4a549e61b919eee4

SHA256
719548921d3a99d8bf31d9c2d543803c0c39a620a8386f8ac557b7ebe5d024d2

SHA512
246d12288e1426b0aa0b53c69efa9fa80781ffdc4394b761ea35f4dae19618b20d7d80402d3edd5d258acbe69c6f8e4640d3d21ba460653383e1408d8d3d9a75

Download Submit
memory/524-84-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-88-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/524-73-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-76-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-77-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-75-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-78-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-79-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-80-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-82-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-83-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-85-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-86-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-87-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-89-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-90-0x00000000001D0000-0x00000000001DA000-memory.dmp

Filesize
40KB

Download
memory/524-91-0x00000000001D0000-0x00000000001DA000-memory.dmp

Filesize
40KB

Download
memory/524-93-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-94-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-95-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-100-0x00000000001D0000-0x00000000001DA000-memory.dmp

Filesize
40KB

Download
memory/524-101-0x00000000001D0000-0x00000000001DA000-memory.dmp

Filesize
40KB

Download
memory/524-102-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-105-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-110-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-115-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-118-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-123-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-126-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-131-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/524-134-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads