bitrat | 2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb

General

Target

2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe
Size

2.9MB
MD5

5b374f9893598fb7323a6fcc8a773418
SHA1

6fc6e18654fe76c2f057905ead38eadee0510e14
SHA256

2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb
SHA512

565970252145bc7f7ce692a5df60f83671c2ee7579d4779f95f8b2abca7c5764f9734fd1a2a898204e6f1d77361554da78162567e47bfed81ec83877a92b4d6e
SSDEEP

49152:kypQPq91dnWo21VjJVnDZo23Y2cj2/A4BD9DpTGqEme2CdXPckRBSBjTF:kybnWo2LjPDZB3Ypj2/AsrhE728XKF

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.34

C2

gordon6.hopto.org:1515

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2920-6-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-7-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-8-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-11-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-12-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-13-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-15-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-16-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-14-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-17-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-18-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-19-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-20-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-21-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-22-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-23-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-24-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-25-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2920-26-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

AddInProcess32.exe

pid process

2920 AddInProcess32.exe
2920 AddInProcess32.exe
2920 AddInProcess32.exe
2920 AddInProcess32.exe

pid	process
2920	AddInProcess32.exe
2920	AddInProcess32.exe
2920	AddInProcess32.exe
2920	AddInProcess32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe

description	pid	process	target process
PID 2632 set thread context of 2920	2632	2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	2632	2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe
Token: SeDebugPrivilege	2920	AddInProcess32.exe
Token: SeShutdownPrivilege	2920	AddInProcess32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AddInProcess32.exe

pid process

2920 AddInProcess32.exe
2920 AddInProcess32.exe

pid	process
2920	AddInProcess32.exe
2920	AddInProcess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe

description	pid	process	target process
PID 2632 wrote to memory of 2920	2632	2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe	AddInProcess32.exe
PID 2632 wrote to memory of 2920	2632	2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe	AddInProcess32.exe
PID 2632 wrote to memory of 2920	2632	2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe	AddInProcess32.exe
PID 2632 wrote to memory of 2920	2632	2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe	AddInProcess32.exe
PID 2632 wrote to memory of 2920	2632	2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe	AddInProcess32.exe
PID 2632 wrote to memory of 2920	2632	2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe	AddInProcess32.exe
PID 2632 wrote to memory of 2920	2632	2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe	AddInProcess32.exe
PID 2632 wrote to memory of 2920	2632	2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe	AddInProcess32.exe
PID 2632 wrote to memory of 2920	2632	2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe
"C:\Users\Admin\AppData\Local\Temp\2d4c73a07bc7f749b009ca30d6527ad8c25b6a6c107df5aef95ec311b5016cdb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2632-9-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-1-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-2-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Filesize
256KB

Download
memory/2632-3-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-4-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Filesize
256KB

Download
memory/2632-5-0x0000000000A60000-0x0000000000A78000-memory.dmp

Filesize
96KB

Download
memory/2632-0-0x00000000013A0000-0x000000000168A000-memory.dmp

Filesize
2.9MB

Download
memory/2920-13-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-17-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-7-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-11-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-12-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-6-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-15-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-16-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-14-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-8-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-18-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-19-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-20-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-21-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-22-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-23-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-24-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-25-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2920-26-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads