bitrat | 5c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea

General

Target

PAIN-Forms.exe
Size

112KB
MD5

a9db678b7bad6d2bae54505759452dd9
SHA1

b0ab52df85ec1595f0a2d1f4e4d09552ea27505a
SHA256

5c362423456076e89659ae8ad2069d05a12ec769d27623fea060c4c7715e27ea
SHA512

641c8a32a821b557cb7050d4ccfa1dfd5f02d4e6d5ce88f1ce305e9887d17c40368829c89a8e7f64880acd368288ed55a1b0b363b0b0f8da833eae2bf4cb807a
SSDEEP

1536:I7saA2chvktTeipnA5+PYpaqjxqYbKZCrXgMeYA5+PeOQT:I620vkt5pnAwlexvbKZwtAwET

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

smgqnt3eixxksasu.xyz:1234

Attributes

communication_password
30afda4853ef5b1bc36463ba95d84247
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAIN-Forms = "C:\\Users\\Admin\\Documents\\PAIN-Forms.pif"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

PAIN-Forms.exe

pid process

3808 PAIN-Forms.exe
3808 PAIN-Forms.exe
3808 PAIN-Forms.exe
3808 PAIN-Forms.exe
3808 PAIN-Forms.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

PAIN-Forms.exe

description pid process target process

PID 1668 set thread context of 3808 1668 PAIN-Forms.exe PAIN-Forms.exe

pid	process
3808	PAIN-Forms.exe
3808	PAIN-Forms.exe
3808	PAIN-Forms.exe
3808	PAIN-Forms.exe
3808	PAIN-Forms.exe

description	pid	process	target process
PID 1668 set thread context of 3808	1668	PAIN-Forms.exe	PAIN-Forms.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

PAIN-Forms.exe

pid	process
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe
1668	PAIN-Forms.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PAIN-Forms.exePAIN-Forms.exe

description pid process

Token: SeDebugPrivilege 1668 PAIN-Forms.exe
Token: SeShutdownPrivilege 3808 PAIN-Forms.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PAIN-Forms.exe

pid process

3808 PAIN-Forms.exe
3808 PAIN-Forms.exe

description	pid	process
Token: SeDebugPrivilege	1668	PAIN-Forms.exe
Token: SeShutdownPrivilege	3808	PAIN-Forms.exe

pid	process
3808	PAIN-Forms.exe
3808	PAIN-Forms.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

PAIN-Forms.execmd.exe

description	pid	process	target process
PID 1668 wrote to memory of 3096	1668	PAIN-Forms.exe	cmd.exe
PID 1668 wrote to memory of 3096	1668	PAIN-Forms.exe	cmd.exe
PID 1668 wrote to memory of 3096	1668	PAIN-Forms.exe	cmd.exe
PID 3096 wrote to memory of 1532	3096	cmd.exe	reg.exe
PID 3096 wrote to memory of 1532	3096	cmd.exe	reg.exe
PID 3096 wrote to memory of 1532	3096	cmd.exe	reg.exe
PID 1668 wrote to memory of 4988	1668	PAIN-Forms.exe	cmd.exe
PID 1668 wrote to memory of 4988	1668	PAIN-Forms.exe	cmd.exe
PID 1668 wrote to memory of 4988	1668	PAIN-Forms.exe	cmd.exe
PID 1668 wrote to memory of 3808	1668	PAIN-Forms.exe	PAIN-Forms.exe
PID 1668 wrote to memory of 3808	1668	PAIN-Forms.exe	PAIN-Forms.exe
PID 1668 wrote to memory of 3808	1668	PAIN-Forms.exe	PAIN-Forms.exe
PID 1668 wrote to memory of 3808	1668	PAIN-Forms.exe	PAIN-Forms.exe
PID 1668 wrote to memory of 3808	1668	PAIN-Forms.exe	PAIN-Forms.exe
PID 1668 wrote to memory of 3808	1668	PAIN-Forms.exe	PAIN-Forms.exe
PID 1668 wrote to memory of 3808	1668	PAIN-Forms.exe	PAIN-Forms.exe
PID 1668 wrote to memory of 3808	1668	PAIN-Forms.exe	PAIN-Forms.exe
PID 1668 wrote to memory of 3808	1668	PAIN-Forms.exe	PAIN-Forms.exe
PID 1668 wrote to memory of 3808	1668	PAIN-Forms.exe	PAIN-Forms.exe
PID 1668 wrote to memory of 3808	1668	PAIN-Forms.exe	PAIN-Forms.exe

C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe
"C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PAIN-Forms" /t REG_SZ /F /D "C:\Users\Admin\Documents\PAIN-Forms.pif"
2⤵
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "PAIN-Forms" /t REG_SZ /F /D "C:\Users\Admin\Documents\PAIN-Forms.pif"
3⤵
- Adds Run key to start application
PID:1532

C:\Windows\SysWOW64\cmd.exe
cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe" "C:\Users\Admin\Documents\PAIN-Forms.pif"
2⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe
"C:\Users\Admin\AppData\Local\Temp\PAIN-Forms.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-19-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/1668-1-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1668-2-0x0000000004EE0000-0x0000000005484000-memory.dmp

Filesize
5.6MB

Download
memory/1668-3-0x0000000004A20000-0x0000000004AB2000-memory.dmp

Filesize
584KB

Download
memory/1668-4-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/1668-5-0x0000000004BD0000-0x0000000004BDA000-memory.dmp

Filesize
40KB

Download
memory/1668-0-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/1668-7-0x0000000005C10000-0x0000000005C2E000-memory.dmp

Filesize
120KB

Download
memory/1668-8-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/1668-9-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/1668-10-0x0000000007490000-0x000000000752C000-memory.dmp

Filesize
624KB

Download
memory/1668-11-0x00000000073F0000-0x0000000007456000-memory.dmp

Filesize
408KB

Download
memory/1668-6-0x0000000005C90000-0x0000000005D06000-memory.dmp

Filesize
472KB

Download
memory/3808-32-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3808-24-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3808-15-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3808-14-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3808-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3808-21-0x0000000074670000-0x00000000746A9000-memory.dmp

Filesize
228KB

Download
memory/3808-22-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3808-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3808-25-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3808-34-0x00000000749F0000-0x0000000074A29000-memory.dmp

Filesize
228KB

Download
memory/3808-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3808-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3808-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3808-29-0x00000000749F0000-0x0000000074A29000-memory.dmp

Filesize
228KB

Download
memory/3808-30-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3808-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3808-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3808-33-0x0000000074670000-0x00000000746A9000-memory.dmp

Filesize
228KB

Download
memory/3808-16-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads