bitrat | 40f3e277da7a04b58913ba390827cfd51b318f40768c58f81361b832096ce1ef

General

Target

bawo.exe
Size

7.8MB
MD5

b8d03a02e654dfc840f21297b8dc99b2
SHA1

615aced62a15e9a1733bfb2c390ba83f024bbbd7
SHA256

40f3e277da7a04b58913ba390827cfd51b318f40768c58f81361b832096ce1ef
SHA512

5f9b459df94dac7dc17f90a8dc53d968c3c0e2fc5c41b107ece1683621ef887d8f01abeec04ec0d9beb87fd11c54f39d71c7ec5c2502ec1db68ffacd018c4194
SSDEEP

196608:KUYuomDLdUgXNjeOoUoB/mZMnsDJKB4o+uBxKd8c:TzoQLd0O6B7c0BTLjbc

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitnow7005.duckdns.org:7005

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Executes dropped EXE 1 IoCs

pid	Process
4572	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1124	RegAsm.exe
1124	RegAsm.exe
1124	RegAsm.exe
1124	RegAsm.exe
1124	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4508 set thread context of 1124	4508	bawo.exe	97

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2236	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1124	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1124	RegAsm.exe
1124	RegAsm.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 1124	4508	bawo.exe	97
PID 4508 wrote to memory of 1124	4508	bawo.exe	97
PID 4508 wrote to memory of 1124	4508	bawo.exe	97
PID 4508 wrote to memory of 1124	4508	bawo.exe	97
PID 4508 wrote to memory of 1124	4508	bawo.exe	97
PID 4508 wrote to memory of 1124	4508	bawo.exe	97
PID 4508 wrote to memory of 1124	4508	bawo.exe	97
PID 4508 wrote to memory of 1124	4508	bawo.exe	97
PID 4508 wrote to memory of 1124	4508	bawo.exe	97
PID 4508 wrote to memory of 1124	4508	bawo.exe	97
PID 4508 wrote to memory of 1124	4508	bawo.exe	97
PID 4508 wrote to memory of 1152	4508	bawo.exe	103
PID 4508 wrote to memory of 1152	4508	bawo.exe	103
PID 4508 wrote to memory of 1152	4508	bawo.exe	103
PID 4508 wrote to memory of 2812	4508	bawo.exe	98
PID 4508 wrote to memory of 2812	4508	bawo.exe	98
PID 4508 wrote to memory of 2812	4508	bawo.exe	98
PID 4508 wrote to memory of 3660	4508	bawo.exe	99
PID 4508 wrote to memory of 3660	4508	bawo.exe	99
PID 4508 wrote to memory of 3660	4508	bawo.exe	99
PID 2812 wrote to memory of 2236	2812	cmd.exe	104
PID 2812 wrote to memory of 2236	2812	cmd.exe	104
PID 2812 wrote to memory of 2236	2812	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\bawo.exe
"C:\Users\Admin\AppData\Local\Temp\bawo.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1124
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\bawo.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:3660
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:1152

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
1.8MB

MD5
db097d6d1d9685d0f8cc76889aeec981

SHA1
e0a3c0db77ea5561ce63b49eff1bf3d113dacc37

SHA256
4c1e9efc8874f099b5267adee29513f042ce23a7e9bc9421a0031701c3c0f1f2

SHA512
75452c93c9d0fcb2f4dcf8ef84acd351609b46e5f915c680bbe9fa338080577e38a74cd6798a29af0636429d77758995b7f0194599d0bb67c17126f558a4f262

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
1.9MB

MD5
79fad2891b5f115348c56cb838bda6fc

SHA1
fcc5b917f410ae17188dc20575048ee9e07ff180

SHA256
ae9f2c9072f618294981f354928f7abb238160e388aa5deda4eaed0e7c7b9dd1

SHA512
bf0b4245c238285cc1aef95c8273e0e6c10c88119e8eede57d19762472eb099e350a664dcced97f1c9d35fcf4253bc600bdd416e8890b3dc19b78552a9281e7b

Download Submit
memory/1124-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-28-0x00000000751A0000-0x00000000751D9000-memory.dmp

Filesize
228KB

Download
memory/1124-29-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-6-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-8-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-9-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-52-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-14-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-11-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-16-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-22-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-24-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-42-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-48-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-30-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-32-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-33-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-34-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-35-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-36-0x0000000075540000-0x0000000075579000-memory.dmp

Filesize
228KB

Download
memory/1124-43-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-38-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-39-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1124-40-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-5-0x0000000007720000-0x0000000007EAA000-memory.dmp

Filesize
7.5MB

Download
memory/4508-0-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/4508-3-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/4508-4-0x0000000005D10000-0x0000000005D20000-memory.dmp

Filesize
64KB

Download
memory/4508-13-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/4508-2-0x0000000005D10000-0x0000000005D20000-memory.dmp

Filesize
64KB

Download
memory/4508-1-0x0000000000A80000-0x0000000001246000-memory.dmp

Filesize
7.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads