bitrat | bdb39f248d0cd06c086b5e38a8120fa4feb9208a4236f32b23e601a4037be416

Resubmissions

21-08-2023 15:40

230821-s39vqadh37 10

11-08-2023 19:23

230811-x36khsac6w 10

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
11-08-2023 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Predictor V6.3/Predictor V6.3.9.exe
Size

658KB
MD5

ab63396cb0774ac41107b7b112f81d5a
SHA1

f5dc67429147e886b01413472496576a2ee34075
SHA256

9a43c57f3e98bd69789e8ccbeef2c1b6b5a3b1d06d63257bb4bd58dffa23689d
SHA512

2121961ae2b154ba941af6937d0522505ec7e323094fb2edc7058194ae958bcf866bbbc7842924236b8635917800d0708eaabff6112f131f496189bb6e021699
SSDEEP

12288:BKwp3N7HPqUeL31VI1kR8BgrsEofzwHJem7OzwHJe0IhfiZ:swp97HyUeLFVIuRCgrsEorwpemIwpels

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

185.157.162.126:443

Attributes

communication_password
a76d949640a165da25ccfe9a8fd82c8a
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

explorer.exe

pid process

2972 explorer.exe
2972 explorer.exe
2972 explorer.exe
2972 explorer.exe
2972 explorer.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Predictor V6.3.9.exe

description pid process target process

PID 2072 set thread context of 2012 2072 Predictor V6.3.9.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Predictor V6.3.9.execmd.exe

pid process

2072 Predictor V6.3.9.exe
2012 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Predictor V6.3.9.execmd.exe

pid process

2072 Predictor V6.3.9.exe
2012 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 2972 explorer.exe
Token: SeShutdownPrivilege 2972 explorer.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exe

pid process

2972 explorer.exe
2972 explorer.exe

pid	process
2972	explorer.exe
2972	explorer.exe
2972	explorer.exe
2972	explorer.exe
2972	explorer.exe

description	pid	process	target process
PID 2072 set thread context of 2012	2072	Predictor V6.3.9.exe	cmd.exe

pid	process
2072	Predictor V6.3.9.exe
2012	cmd.exe

pid	process
2072	Predictor V6.3.9.exe
2012	cmd.exe

description	pid	process
Token: SeDebugPrivilege	2972	explorer.exe
Token: SeShutdownPrivilege	2972	explorer.exe

pid	process
2972	explorer.exe
2972	explorer.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Predictor V6.3.9.execmd.exe

description	pid	process	target process
PID 2072 wrote to memory of 2012	2072	Predictor V6.3.9.exe	cmd.exe
PID 2072 wrote to memory of 2012	2072	Predictor V6.3.9.exe	cmd.exe
PID 2072 wrote to memory of 2012	2072	Predictor V6.3.9.exe	cmd.exe
PID 2072 wrote to memory of 2012	2072	Predictor V6.3.9.exe	cmd.exe
PID 2072 wrote to memory of 2012	2072	Predictor V6.3.9.exe	cmd.exe
PID 2012 wrote to memory of 2972	2012	cmd.exe	explorer.exe
PID 2012 wrote to memory of 2972	2012	cmd.exe	explorer.exe
PID 2012 wrote to memory of 2972	2012	cmd.exe	explorer.exe
PID 2012 wrote to memory of 2972	2012	cmd.exe	explorer.exe
PID 2012 wrote to memory of 2972	2012	cmd.exe	explorer.exe
PID 2012 wrote to memory of 2972	2012	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Predictor V6.3\Predictor V6.3.9.exe
"C:\Users\Admin\AppData\Local\Temp\Predictor V6.3\Predictor V6.3.9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\271b34c0

Filesize
4.2MB

MD5
2f395ea8f79aa25788704312e9d87ae3

SHA1
4b872a5be4050662623bc3ae4a385ca651ab4a4b

SHA256
67e07635e3743852ac6b7846c6dbbf9ddc0c65a8ff20fb756668357871198209

SHA512
d8fcac7acf2a6d7a0f532491b91a1146badcaa8a0e2ecc5197dc428257f3aa9708bdfce5683d2f213555a849c4d4759bbc4caf86db90a3a4dc320ef28a3c927e

Download Submit
memory/2012-56-0x0000000077140000-0x00000000772E9000-memory.dmp

Filesize
1.7MB

Download
memory/2072-53-0x000007FEF47E0000-0x000007FEF5E0C000-memory.dmp

Filesize
22.2MB

Download
memory/2972-107-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/2972-110-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/2972-105-0x0000000000870000-0x0000000000AF1000-memory.dmp

Filesize
2.5MB

Download
memory/2972-106-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2972-108-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/2972-102-0x0000000077140000-0x00000000772E9000-memory.dmp

Filesize
1.7MB

Download
memory/2972-109-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2972-103-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2972-111-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/2972-112-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2972-113-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2972-114-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2972-115-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2972-116-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2972-117-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2972-118-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download