bitrat | e6ecd1d1d0c509224766768df9ef234bbcedd51d66288fd36ba4d55093f8d030

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2023 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
Size

4.9MB
MD5

a47434b53be19aa80e4529da0ac4e528
SHA1

e2535e69d067f6557f2c83bd05dc47289c61b0d8
SHA256

5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b
SHA512

f0251d15e29042d432c141f6df43ff267cd3c912a48afe6f83ed1d5588078191eb98763608f2d89b92cb33ec54db16d42bba03a83c329b4cab84615059f28d65
SSDEEP

98304:lfROAm0ADHsXLIsFmL5vTWJdVzealPxaLnU4UUU3UUU:lfROAm0ADHsXLIBvMtUU4UUU3UUU

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

104.223.91.190:1234

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
Install path
install_file
Install name
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Drops startup file 1 IoCs

Processes:

5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Babryua.vbs	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Install name = "C:\\Users\\Admin\\AppData\\Local\\Install path\\Install name"	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

pid	process
5032	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
5032	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
5032	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
5032	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
5032	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

description	pid	process	target process
PID 812 set thread context of 5032	812	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

pid process

812 5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

pid	process
812	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

Suspicious behavior: RenamesItself 2 IoCs

Processes:

5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

pid	process
5032	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
5032	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

description	pid	process
Token: SeDebugPrivilege	812	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
Token: SeShutdownPrivilege	5032	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

pid	process
5032	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
5032	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

description	pid	process	target process
PID 812 wrote to memory of 5032	812	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
PID 812 wrote to memory of 5032	812	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
PID 812 wrote to memory of 5032	812	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
PID 812 wrote to memory of 5032	812	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
PID 812 wrote to memory of 5032	812	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
PID 812 wrote to memory of 5032	812	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
PID 812 wrote to memory of 5032	812	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
PID 812 wrote to memory of 5032	812	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
PID 812 wrote to memory of 5032	812	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
PID 812 wrote to memory of 5032	812	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
PID 812 wrote to memory of 5032	812	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe	5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe

C:\Users\Admin\AppData\Local\Temp\5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
"C:\Users\Admin\AppData\Local\Temp\5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Local\Temp\5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe
C:\Users\Admin\AppData\Local\Temp\5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b.exe purecrypter.exe
2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/812-133-0x0000000000570000-0x0000000000A52000-memory.dmp

Filesize
4.9MB

Download
memory/812-134-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-135-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-137-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-139-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-143-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/812-141-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-144-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-146-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-148-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-150-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-152-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-154-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-156-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-158-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-160-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-162-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-164-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-166-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-168-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-170-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-172-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-174-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-176-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-178-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-180-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-182-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-184-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-186-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-188-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-190-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-192-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-194-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-196-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-198-0x00000000054E0000-0x000000000575A000-memory.dmp

Filesize
2.5MB

Download
memory/812-672-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/812-1180-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/812-1181-0x0000000007380000-0x0000000007924000-memory.dmp

Filesize
5.6MB

Download
memory/5032-1188-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/5032-1192-0x0000000075200000-0x0000000075239000-memory.dmp

Filesize
228KB

Download
memory/5032-1201-0x0000000074EC0000-0x0000000074EF9000-memory.dmp

Filesize
228KB

Download