bitrat | d0c42bf9edad21b80063db0a7fe9a3d1486c72551fc04b622e44529e5610fa1f

General

Target

BHThisAccountManger2.exe
Size

6.2MB
MD5

c2eb25d76d29c98f90d8c61004149a0c
SHA1

2c576db59c1c7e13d3572b9c9857bda4bcbe4fe1
SHA256

d0c42bf9edad21b80063db0a7fe9a3d1486c72551fc04b622e44529e5610fa1f
SHA512

d5493612fce6ba1d7d9ad79cd301d165686b7ca8f105407d094ad8528c1a9d76ba7ac8fc51d462fdbe6bae8a1f5354a96aad47ea1863e3d575ed985f60b04ade
SSDEEP

98304:cJ/yV00WA5L+wvgG7Wwpa1ugWYB5ADouSY4oLWL/6IkV0qBh6WVs3fER3ckWQP8B:QqV00WAcvwpCB4DBMuIQ08h6AfWoBk

Score

10^/10

bitrat persistence trojan vmprotect

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

rornfl12.duckdns.org:3072

Attributes

communication_password
be767243ca8f574c740fb4c26cc6dceb
install_dir
chrome
install_file
chome.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Executes dropped EXE 1 IoCs

pid	Process
2836	ACCOUN~1.EXE

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x00050000000130e5-8.dat	vmprotect
behavioral1/files/0x00050000000130e5-6.dat	vmprotect
behavioral1/files/0x00050000000130e5-9.dat	vmprotect
behavioral1/memory/2836-10-0x0000000000400000-0x00000000010CD000-memory.dmp	vmprotect
behavioral1/memory/2836-15-0x0000000000400000-0x00000000010CD000-memory.dmp	vmprotect
behavioral1/memory/2836-29-0x0000000000400000-0x00000000010CD000-memory.dmp	vmprotect
behavioral1/memory/2836-30-0x0000000000400000-0x00000000010CD000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	BHThisAccountManger2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\chome = "C:\\Users\\Admin\\AppData\\Local\\chrome\\chome.exe"	ACCOUN~1.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2836	ACCOUN~1.EXE
2836	ACCOUN~1.EXE
2836	ACCOUN~1.EXE
2836	ACCOUN~1.EXE
2836	ACCOUN~1.EXE
2836	ACCOUN~1.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2836	ACCOUN~1.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	ACCOUN~1.EXE
Token: SeShutdownPrivilege	2836	ACCOUN~1.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2836	ACCOUN~1.EXE
2836	ACCOUN~1.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2836	1732	BHThisAccountManger2.exe	28
PID 1732 wrote to memory of 2836	1732	BHThisAccountManger2.exe	28
PID 1732 wrote to memory of 2836	1732	BHThisAccountManger2.exe	28
PID 1732 wrote to memory of 2836	1732	BHThisAccountManger2.exe	28

C:\Users\Admin\AppData\Local\Temp\BHThisAccountManger2.exe
"C:\Users\Admin\AppData\Local\Temp\BHThisAccountManger2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACCOUN~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACCOUN~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACCOUN~1.EXE

Filesize
6.2MB

MD5
0606141f3fad15f21ebf58bcd5c49f75

SHA1
098454df527c1315e80808328dc464286fa90859

SHA256
76f0851190aea6cb9add8591a662322bd88f742d85f62bcf54050fe5b380eed6

SHA512
1ddcedc9e695b29dc44a0799263c8c50d6c14adae9e0968a501ae25b387c3f4c1b9aed29380800a3c6cd734da0ac71d5d8151f51172ce133e7caa1ce0541df92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACCOUN~1.EXE

Filesize
6.2MB

MD5
0606141f3fad15f21ebf58bcd5c49f75

SHA1
098454df527c1315e80808328dc464286fa90859

SHA256
76f0851190aea6cb9add8591a662322bd88f742d85f62bcf54050fe5b380eed6

SHA512
1ddcedc9e695b29dc44a0799263c8c50d6c14adae9e0968a501ae25b387c3f4c1b9aed29380800a3c6cd734da0ac71d5d8151f51172ce133e7caa1ce0541df92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACCOUN~1.EXE

Filesize
6.2MB

MD5
0606141f3fad15f21ebf58bcd5c49f75

SHA1
098454df527c1315e80808328dc464286fa90859

SHA256
76f0851190aea6cb9add8591a662322bd88f742d85f62bcf54050fe5b380eed6

SHA512
1ddcedc9e695b29dc44a0799263c8c50d6c14adae9e0968a501ae25b387c3f4c1b9aed29380800a3c6cd734da0ac71d5d8151f51172ce133e7caa1ce0541df92

Download Submit
memory/2836-17-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2836-15-0x0000000000400000-0x00000000010CD000-memory.dmp

Filesize
12.8MB

Download
memory/2836-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2836-19-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2836-18-0x0000000077DB0000-0x0000000077DB1000-memory.dmp

Filesize
4KB

Download
memory/2836-11-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2836-21-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2836-10-0x0000000000400000-0x00000000010CD000-memory.dmp

Filesize
12.8MB

Download
memory/2836-23-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2836-27-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/2836-28-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/2836-29-0x0000000000400000-0x00000000010CD000-memory.dmp

Filesize
12.8MB

Download
memory/2836-30-0x0000000000400000-0x00000000010CD000-memory.dmp

Filesize
12.8MB

Download
memory/2836-31-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/2836-32-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads