bitrat | f3126ddd86d1e048db68f22cb1de5de871282bbd5764c4c77867042c8f1aab93

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2023 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lz.exe
Size

388KB
MD5

4ff84ca1c02088f313c97694244cb2a4
SHA1

d2ffff7d201ac6236d3d091047f498c11bae00d6
SHA256

f3126ddd86d1e048db68f22cb1de5de871282bbd5764c4c77867042c8f1aab93
SHA512

0ab79b098be51c4035871e1b85bb815954a0c936fb9bc5bc598ac824e1c4e45d5f6b56f4f3e4a063c82a91ab30cb953018abc9161e3b2cfdf785d97d6a09d00b
SSDEEP

12288:tCspLdeVEn/oEehNiNsF9hS2Oga+nqgU+1kkqabCtXSXNcqye9cBz:tCULoVEn/oEsA/2OgVqgU+1kkqabCtXB

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

rornfl12.duckdns.org:3072

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
chrome
install_file
updater
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updater"	MSBuild.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "C:\\Users\\Admin\\AppData\\Local\\chrome\\updaterЀ"	MSBuild.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

MSBuild.exe

pid process

1124 MSBuild.exe
1124 MSBuild.exe
1124 MSBuild.exe
1124 MSBuild.exe
1124 MSBuild.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

lz.exe

description pid process target process

PID 2188 set thread context of 1124 2188 lz.exe MSBuild.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

lz.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 2188 lz.exe
Token: SeShutdownPrivilege 1124 MSBuild.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MSBuild.exe

pid process

1124 MSBuild.exe
1124 MSBuild.exe

pid	process
1124	MSBuild.exe
1124	MSBuild.exe
1124	MSBuild.exe
1124	MSBuild.exe
1124	MSBuild.exe

description	pid	process	target process
PID 2188 set thread context of 1124	2188	lz.exe	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2188	lz.exe
Token: SeShutdownPrivilege	1124	MSBuild.exe

pid	process
1124	MSBuild.exe
1124	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

lz.exe

description	pid	process	target process
PID 2188 wrote to memory of 1124	2188	lz.exe	MSBuild.exe
PID 2188 wrote to memory of 1124	2188	lz.exe	MSBuild.exe
PID 2188 wrote to memory of 1124	2188	lz.exe	MSBuild.exe
PID 2188 wrote to memory of 1124	2188	lz.exe	MSBuild.exe
PID 2188 wrote to memory of 1124	2188	lz.exe	MSBuild.exe
PID 2188 wrote to memory of 1124	2188	lz.exe	MSBuild.exe
PID 2188 wrote to memory of 1124	2188	lz.exe	MSBuild.exe
PID 2188 wrote to memory of 1124	2188	lz.exe	MSBuild.exe
PID 2188 wrote to memory of 1124	2188	lz.exe	MSBuild.exe
PID 2188 wrote to memory of 1124	2188	lz.exe	MSBuild.exe
PID 2188 wrote to memory of 1124	2188	lz.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\lz.exe
"C:\Users\Admin\AppData\Local\Temp\lz.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1124-1090-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-1138-0x0000000074230000-0x0000000074269000-memory.dmp

Filesize
228KB

Download
memory/1124-1137-0x0000000074570000-0x00000000745A9000-memory.dmp

Filesize
228KB

Download
memory/1124-1106-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-1100-0x0000000074230000-0x0000000074269000-memory.dmp

Filesize
228KB

Download
memory/1124-1092-0x0000000074570000-0x00000000745A9000-memory.dmp

Filesize
228KB

Download
memory/2188-39-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-45-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-8-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-9-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-11-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-13-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-15-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-17-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-19-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-21-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-23-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-25-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-27-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-29-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-31-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-33-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-35-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-37-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-0-0x00000000001E0000-0x0000000000248000-memory.dmp

Filesize
416KB

Download
memory/2188-41-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-43-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-7-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/2188-47-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-49-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-51-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-53-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-55-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-57-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-59-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-61-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-63-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-65-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-67-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-69-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-71-0x0000000008B20000-0x0000000008D95000-memory.dmp

Filesize
2.5MB

Download
memory/2188-1084-0x00000000061D0000-0x00000000061D1000-memory.dmp

Filesize
4KB

Download
memory/2188-1089-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2188-6-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2188-5-0x0000000004C50000-0x0000000004C5A000-memory.dmp

Filesize
40KB

Download
memory/2188-4-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/2188-3-0x0000000004C90000-0x0000000004D22000-memory.dmp

Filesize
584KB

Download
memory/2188-2-0x00000000051A0000-0x0000000005744000-memory.dmp

Filesize
5.6MB

Download
memory/2188-1-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download