bitrat | 824bfb1adf72681cee3da426dee064d9cdf8b4062941bc7232957b6055709b22

General

Target

6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
Size

8.1MB
MD5

ef194a3933b45e376e35ba7c4b14bf49
SHA1

0830bceebac97ee4ecf909e22189c858865a553f
SHA256

6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d
SHA512

c0777e7ea276d983a72cdc6286b22e8267b1f2fe7baf3aaf47e63400bca1ba2ce88d2a59fe1d8bce001c3accdcfcd04f5e4552c3a659206d9e1493c45a71d3fd
SSDEEP

98304:voRRzohHPzOY8MqNY5rONLPW75h1Zfvcls5+wMLi7VjtY2xhSzmUOlWg7t:vCRctM0yNDWL1FvclsGWhD9UOJp

Score

10^/10

bitrat evasion persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

rxbwrzmdaw27pt7lrrhophwwlcyuqkw3n2dhpr5gu5bjh3ut2ot2mwid.onion:80

Attributes

communication_password
5ffc3746012bb1139c6bf49107694c1a
tor_process
Smartscreens

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

464 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

564 cmd.exe

pid	process
464	svchost.exe

pid	process
564	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 464 set thread context of 1092 464 svchost.exe SetupUtility.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1816 1092 WerFault.exe SetupUtility.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

568 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

560 timeout.exe

description	pid	process	target process
PID 464 set thread context of 1092	464	svchost.exe	SetupUtility.exe

pid	pid_target	process	target process
1816	1092	WerFault.exe	SetupUtility.exe

pid	process
568	schtasks.exe

pid	process
560	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exepowershell.exesvchost.exe

pid	process
1220	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
1100	powershell.exe
464	svchost.exe
464	svchost.exe
464	svchost.exe
464	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

svchost.exe

pid process

464 svchost.exe

pid	process
464	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exesvchost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1220	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
Token: SeDebugPrivilege	464	svchost.exe
Token: SeDebugPrivilege	464	svchost.exe
Token: SeLoadDriverPrivilege	464	svchost.exe
Token: SeDebugPrivilege	1100	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.execmd.execmd.exesvchost.exeSetupUtility.exe

description	pid	process	target process
PID 1220 wrote to memory of 2020	1220	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe	cmd.exe
PID 1220 wrote to memory of 2020	1220	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe	cmd.exe
PID 1220 wrote to memory of 2020	1220	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe	cmd.exe
PID 1220 wrote to memory of 564	1220	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe	cmd.exe
PID 1220 wrote to memory of 564	1220	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe	cmd.exe
PID 1220 wrote to memory of 564	1220	6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe	cmd.exe
PID 564 wrote to memory of 560	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 560	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 560	564	cmd.exe	timeout.exe
PID 2020 wrote to memory of 568	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 568	2020	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 568	2020	cmd.exe	schtasks.exe
PID 564 wrote to memory of 464	564	cmd.exe	svchost.exe
PID 564 wrote to memory of 464	564	cmd.exe	svchost.exe
PID 564 wrote to memory of 464	564	cmd.exe	svchost.exe
PID 464 wrote to memory of 1100	464	svchost.exe	powershell.exe
PID 464 wrote to memory of 1100	464	svchost.exe	powershell.exe
PID 464 wrote to memory of 1100	464	svchost.exe	powershell.exe
PID 464 wrote to memory of 1652	464	svchost.exe	DataSvcUtil.exe
PID 464 wrote to memory of 1652	464	svchost.exe	DataSvcUtil.exe
PID 464 wrote to memory of 1652	464	svchost.exe	DataSvcUtil.exe
PID 464 wrote to memory of 1084	464	svchost.exe	aspnet_regbrowsers.exe
PID 464 wrote to memory of 1084	464	svchost.exe	aspnet_regbrowsers.exe
PID 464 wrote to memory of 1084	464	svchost.exe	aspnet_regbrowsers.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 464 wrote to memory of 1092	464	svchost.exe	SetupUtility.exe
PID 1092 wrote to memory of 1816	1092	SetupUtility.exe	WerFault.exe
PID 1092 wrote to memory of 1816	1092	SetupUtility.exe	WerFault.exe
PID 1092 wrote to memory of 1816	1092	SetupUtility.exe	WerFault.exe
PID 1092 wrote to memory of 1816	1092	SetupUtility.exe	WerFault.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe
"C:\Users\Admin\AppData\Local\Temp\6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:568

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1259.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:560

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- UAC bypass
- Sets service image path in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
4⤵
PID:1652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:1084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 168
5⤵
- Program crash
PID:1816

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

2

T1060

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1259.tmp.bat
Filesize
151B

MD5
e894c0e5ebcd2efa4a735828bc91ad2e

SHA1
a7c49843c2f45bceb0d8d5d947943485c9c4c91a

SHA256
269929c768b80345ee1aad2f9f3596b0960904b9637014b089800171c5c96012

SHA512
3844d7063134bd97c142ef71a2dde15b31a2e8ea02d1d7eeb0fdc3435c77ee081d2f4704fa478ef995d1cd97bf23618bf10168848f6956641524a70796363a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1259.tmp.bat
Filesize
151B

MD5
e894c0e5ebcd2efa4a735828bc91ad2e

SHA1
a7c49843c2f45bceb0d8d5d947943485c9c4c91a

SHA256
269929c768b80345ee1aad2f9f3596b0960904b9637014b089800171c5c96012

SHA512
3844d7063134bd97c142ef71a2dde15b31a2e8ea02d1d7eeb0fdc3435c77ee081d2f4704fa478ef995d1cd97bf23618bf10168848f6956641524a70796363a33

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
8.1MB

MD5
ef194a3933b45e376e35ba7c4b14bf49

SHA1
0830bceebac97ee4ecf909e22189c858865a553f

SHA256
6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d

SHA512
c0777e7ea276d983a72cdc6286b22e8267b1f2fe7baf3aaf47e63400bca1ba2ce88d2a59fe1d8bce001c3accdcfcd04f5e4552c3a659206d9e1493c45a71d3fd

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
8.1MB

MD5
ef194a3933b45e376e35ba7c4b14bf49

SHA1
0830bceebac97ee4ecf909e22189c858865a553f

SHA256
6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d

SHA512
c0777e7ea276d983a72cdc6286b22e8267b1f2fe7baf3aaf47e63400bca1ba2ce88d2a59fe1d8bce001c3accdcfcd04f5e4552c3a659206d9e1493c45a71d3fd

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
8.1MB

MD5
ef194a3933b45e376e35ba7c4b14bf49

SHA1
0830bceebac97ee4ecf909e22189c858865a553f

SHA256
6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d

SHA512
c0777e7ea276d983a72cdc6286b22e8267b1f2fe7baf3aaf47e63400bca1ba2ce88d2a59fe1d8bce001c3accdcfcd04f5e4552c3a659206d9e1493c45a71d3fd

Download Submit
memory/464-68-0x0000000000A30000-0x0000000001242000-memory.dmp

Filesize
8.1MB

Download
memory/464-69-0x000000001C540000-0x000000001C5C0000-memory.dmp

Filesize
512KB

Download
memory/1092-80-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/1100-75-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/1100-76-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/1100-77-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1100-79-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1100-78-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/1100-81-0x0000000002A0B000-0x0000000002A42000-memory.dmp

Filesize
220KB

Download
memory/1220-54-0x0000000000F90000-0x00000000017A2000-memory.dmp

Filesize
8.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads