bitrat | ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8

General

Target

ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe
Size

7.6MB
MD5

18e07c4772a2687ee06a434ffef9572f
SHA1

ff1a7e4f53efdbd0935bcf8a8dac338ea96c9dbe
SHA256

ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8
SHA512

8795a49d7c5993f24a290e9d5f9299871af4ffd51a66b0656bf0057cdc15b1286350aae55be7b69cec660df1353f5a4dffdc08004a1b447b1b75e5645ac6188b
SSDEEP

196608:eMoIG1kQ7PENK4JQp9ny9MK07ZMCmPSxF:gJB7PGqKMKeBm4F

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

185.225.75.68:3569

Attributes

communication_password
0edcbe7d888380c49e7d1dcf67b6ea6e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Executes dropped EXE 1 IoCs

pid	Process
4292	state.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4236	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe
4236	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe
4236	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe
4236	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2428 set thread context of 4236	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	83

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1900	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4236	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4236	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe
4236	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 4236	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	83
PID 2428 wrote to memory of 4236	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	83
PID 2428 wrote to memory of 4236	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	83
PID 2428 wrote to memory of 4236	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	83
PID 2428 wrote to memory of 4236	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	83
PID 2428 wrote to memory of 4236	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	83
PID 2428 wrote to memory of 4236	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	83
PID 2428 wrote to memory of 4236	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	83
PID 2428 wrote to memory of 4236	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	83
PID 2428 wrote to memory of 4236	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	83
PID 2428 wrote to memory of 4236	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	83
PID 2428 wrote to memory of 4248	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	85
PID 2428 wrote to memory of 4248	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	85
PID 2428 wrote to memory of 4248	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	85
PID 2428 wrote to memory of 3020	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	88
PID 2428 wrote to memory of 3020	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	88
PID 2428 wrote to memory of 3020	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	88
PID 2428 wrote to memory of 1300	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	86
PID 2428 wrote to memory of 1300	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	86
PID 2428 wrote to memory of 1300	2428	ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe	86
PID 3020 wrote to memory of 1900	3020	cmd.exe	91
PID 3020 wrote to memory of 1900	3020	cmd.exe	91
PID 3020 wrote to memory of 1900	3020	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe
"C:\Users\Admin\AppData\Local\Temp\ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe
  "C:\Users\Admin\AppData\Local\Temp\ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4236
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\state"
  2⤵
  PID:4248
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8.exe" "C:\Users\Admin\AppData\Roaming\state\state.exe"
  2⤵
  PID:1300
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1900

C:\Users\Admin\AppData\Roaming\state\state.exe
C:\Users\Admin\AppData\Roaming\state\state.exe
1⤵
- Executes dropped EXE
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\state\state.exe

Filesize
2.3MB

MD5
bfa688b4bcb9036fdb6557c906d34e3e

SHA1
3b4c2b6e946dc1f82bda829242cf20672ac9e596

SHA256
1812551c404104fe26d31dda5418bcd745997cb39d9af25b5df865d366f0419f

SHA512
2391aa167147a1d70365da1e269d0a9e17646399b9d371501a589cc75cfd5cda548a32b323eee84e819797621990de818296f0ed475166530e62c2f0a78975c8

Download Submit
C:\Users\Admin\AppData\Roaming\state\state.exe

Filesize
2.0MB

MD5
31cb86f58d669d837cf84dc69f314a41

SHA1
911957e6a508a4c336e0e3c6323c2036f9921980

SHA256
620bebc0b2f36e10a609b0599367dc5267d79283ebbec35e6fae788ddc04b23f

SHA512
f11578abd45aec7e4d291594554fdbf72cdcf253b8a67489545a7fce695772db6bab1dddd016b4ce22f4d3976e44e256a8eb218d7ecddac2f9ef27b0f3a2f69b

Download Submit
memory/2428-10-0x0000000005E30000-0x0000000005E40000-memory.dmp

Filesize
64KB

Download
memory/2428-0-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/2428-2-0x00000000063F0000-0x0000000006994000-memory.dmp

Filesize
5.6MB

Download
memory/2428-3-0x0000000005E30000-0x0000000005E40000-memory.dmp

Filesize
64KB

Download
memory/2428-4-0x00000000079A0000-0x000000000812A000-memory.dmp

Filesize
7.5MB

Download
memory/2428-18-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/2428-8-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/2428-1-0x0000000000CA0000-0x000000000143E000-memory.dmp

Filesize
7.6MB

Download
memory/4236-12-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4236-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4236-9-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4236-15-0x0000000071490000-0x00000000714C9000-memory.dmp

Filesize
228KB

Download
memory/4236-17-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4236-7-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4236-19-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4236-11-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4236-21-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4236-22-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4236-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4236-24-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4236-25-0x0000000074FD0000-0x0000000075009000-memory.dmp

Filesize
228KB

Download
memory/4236-6-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4236-5-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads