bitrat | 54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711

General

Target

54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe
Size

967KB
MD5

29e932d3d12d1811d99691acb7f228bc
SHA1

4c67dd3dbb393ba68e602ed43223001bb88d94e4
SHA256

54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711
SHA512

39d2e21c86b5fd3bac702837f7c95ffe6a0119f9647998e0496a14a6c1f0f81f65fc331977ea16bc4a041d000d80942aa374538c9f9016e6e59f9eac01cdf98f
SSDEEP

24576:BqDEvCTbMWu7rQYlBQcBiT6rprG8aNrpmD:BTvC/MTQYxsWR7aNo

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

xwm.dynuddns.com:8889

Attributes

communication_password
cba52b50d9cf77a308a6bedcd075f95e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Blocklisted process makes network request 3 IoCs

Processes:

cmd.exe

flow pid process

46 2120 cmd.exe
48 2120 cmd.exe
53 2120 cmd.exe

flow	pid	process
46	2120	cmd.exe
48	2120	cmd.exe
53	2120	cmd.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2120-21-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-22-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-23-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-24-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-25-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3312-31-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-33-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1352-37-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-39-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-40-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-41-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-42-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-44-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-45-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-47-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3312-51-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3312-53-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1352-54-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1352-55-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1760-58-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1760-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2120-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

pid process

2120 cmd.exe
2120 cmd.exe
2120 cmd.exe
2120 cmd.exe
3312 cmd.exe
1352 cmd.exe
1760 cmd.exe

pid	process
2120	cmd.exe
2120	cmd.exe
2120	cmd.exe
2120	cmd.exe
3312	cmd.exe
1352	cmd.exe
1760	cmd.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe

description	pid	process	target process
PID 5056 set thread context of 2120	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 set thread context of 1100	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 set thread context of 3312	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 set thread context of 1352	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 set thread context of 1760	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2396 1100 WerFault.exe cmd.exe

pid	pid_target	process	target process
2396	1100	WerFault.exe	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

description	pid	process
Token: SeShutdownPrivilege	2120	cmd.exe
Token: SeShutdownPrivilege	3312	cmd.exe
Token: SeShutdownPrivilege	1352	cmd.exe
Token: SeShutdownPrivilege	1760	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cmd.exe

pid process

2120 cmd.exe
2120 cmd.exe

pid	process
2120	cmd.exe
2120	cmd.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe

description	pid	process	target process
PID 5056 wrote to memory of 2120	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 2120	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 2120	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 2120	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 2120	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 2120	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 2120	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 2120	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1100	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1100	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1100	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1100	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 3312	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 3312	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 3312	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 3312	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 3312	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 3312	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 3312	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 3312	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1352	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1352	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1352	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1352	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1352	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1352	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1352	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1352	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1760	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1760	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1760	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1760	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1760	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1760	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1760	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe
PID 5056 wrote to memory of 1760	5056	54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe
"C:\Users\Admin\AppData\Local\Temp\54375a390c52d783d96492938d05920567a0232c2c22436161e83f21745b7711_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 80
3⤵
- Program crash
PID:2396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1100 -ip 1100
1⤵
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1352-37-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1352-55-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1352-57-0x0000000074C60000-0x0000000074C99000-memory.dmp

Filesize
228KB

Download
memory/1352-54-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1760-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1760-59-0x0000000074C60000-0x0000000074C99000-memory.dmp

Filesize
228KB

Download
memory/1760-58-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-38-0x00000000733F0000-0x0000000073429000-memory.dmp

Filesize
228KB

Download
memory/2120-33-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-39-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-40-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-41-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-42-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-44-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-45-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-47-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-50-0x0000000073310000-0x0000000073349000-memory.dmp

Filesize
228KB

Download
memory/2120-66-0x0000000074C60000-0x0000000074C99000-memory.dmp

Filesize
228KB

Download
memory/2120-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-21-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-63-0x0000000074C60000-0x0000000074C99000-memory.dmp

Filesize
228KB

Download
memory/2120-25-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-24-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-23-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-22-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2120-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3312-31-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3312-53-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3312-52-0x0000000073310000-0x0000000073349000-memory.dmp

Filesize
228KB

Download
memory/3312-51-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads