bitrat | 5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b

Analysis

max time kernel
150s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2023 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a47434b53be19aa80e4529da0ac4e528.exe
Size

4.9MB
MD5

a47434b53be19aa80e4529da0ac4e528
SHA1

e2535e69d067f6557f2c83bd05dc47289c61b0d8
SHA256

5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b
SHA512

f0251d15e29042d432c141f6df43ff267cd3c912a48afe6f83ed1d5588078191eb98763608f2d89b92cb33ec54db16d42bba03a83c329b4cab84615059f28d65
SSDEEP

98304:lfROAm0ADHsXLIsFmL5vTWJdVzealPxaLnU4UUU3UUU:lfROAm0ADHsXLIBvMtUU4UUU3UUU

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

104.223.91.190:1234

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
Install path
install_file
Install name
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Drops startup file 1 IoCs

Processes:

a47434b53be19aa80e4529da0ac4e528.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Babryua.vbs	a47434b53be19aa80e4529da0ac4e528.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

a47434b53be19aa80e4529da0ac4e528.exe

pid process

4948 a47434b53be19aa80e4529da0ac4e528.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

a47434b53be19aa80e4529da0ac4e528.exe

description pid process target process

PID 4960 set thread context of 4948 4960 a47434b53be19aa80e4529da0ac4e528.exe a47434b53be19aa80e4529da0ac4e528.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a47434b53be19aa80e4529da0ac4e528.exe

pid process

4960 a47434b53be19aa80e4529da0ac4e528.exe

pid	process
4948	a47434b53be19aa80e4529da0ac4e528.exe

description	pid	process	target process
PID 4960 set thread context of 4948	4960	a47434b53be19aa80e4529da0ac4e528.exe	a47434b53be19aa80e4529da0ac4e528.exe

pid	process
4960	a47434b53be19aa80e4529da0ac4e528.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a47434b53be19aa80e4529da0ac4e528.exea47434b53be19aa80e4529da0ac4e528.exe

description	pid	process
Token: SeDebugPrivilege	4960	a47434b53be19aa80e4529da0ac4e528.exe
Token: SeShutdownPrivilege	4948	a47434b53be19aa80e4529da0ac4e528.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

a47434b53be19aa80e4529da0ac4e528.exe

description	pid	process	target process
PID 4960 wrote to memory of 4948	4960	a47434b53be19aa80e4529da0ac4e528.exe	a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948	4960	a47434b53be19aa80e4529da0ac4e528.exe	a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948	4960	a47434b53be19aa80e4529da0ac4e528.exe	a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948	4960	a47434b53be19aa80e4529da0ac4e528.exe	a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948	4960	a47434b53be19aa80e4529da0ac4e528.exe	a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948	4960	a47434b53be19aa80e4529da0ac4e528.exe	a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948	4960	a47434b53be19aa80e4529da0ac4e528.exe	a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948	4960	a47434b53be19aa80e4529da0ac4e528.exe	a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948	4960	a47434b53be19aa80e4529da0ac4e528.exe	a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948	4960	a47434b53be19aa80e4529da0ac4e528.exe	a47434b53be19aa80e4529da0ac4e528.exe
PID 4960 wrote to memory of 4948	4960	a47434b53be19aa80e4529da0ac4e528.exe	a47434b53be19aa80e4529da0ac4e528.exe

C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe
"C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe
C:\Users\Admin\AppData\Local\Temp\a47434b53be19aa80e4529da0ac4e528.exe purecrypter.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4948-1188-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4960-166-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-1181-0x0000000007A60000-0x0000000008004000-memory.dmp

Filesize
5.6MB

Download
memory/4960-136-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-138-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-140-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-142-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-144-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-146-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-168-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-150-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-152-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-154-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-156-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-158-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-160-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-162-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-164-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-133-0x0000000000C60000-0x0000000001142000-memory.dmp

Filesize
4.9MB

Download
memory/4960-148-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-135-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-182-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-174-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-176-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-178-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-180-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-172-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-184-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-186-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-188-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-190-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-192-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-194-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-196-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-198-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-471-0x0000000005CF0000-0x0000000005D00000-memory.dmp

Filesize
64KB

Download
memory/4960-1180-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/4960-170-0x0000000005D00000-0x0000000005F7A000-memory.dmp

Filesize
2.5MB

Download
memory/4960-134-0x0000000005CF0000-0x0000000005D00000-memory.dmp

Filesize
64KB

Download