bitrat | 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943

General

Target

3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
Size

7.6MB
MD5

9f42c993b0f9560fce2ac89d5b823b3b
SHA1

7c3ae9d0a92335ec5076490af4544a071d69c6d4
SHA256

3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943
SHA512

867eaa8455f4314e355241374b0eb80bcc7d6f932330e82c0a18a8e79caba014f35621c2bc0e345d294eb95bcecfcfed7652b058c88ae52ebfa82436cc59d379
SSDEEP

196608:Qv9coCuwOc11PU2hGdwV52HSabjklOaxb/1sjK:ObC/O2QejwSZ9/1EK

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

185.225.75.68:3569

Attributes

communication_password
0edcbe7d888380c49e7d1dcf67b6ea6e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

hope.exe

pid process

4564 hope.exe

pid	process
4564	hope.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe

pid	process
3868	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
3868	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
3868	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
3868	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe

description	pid	process	target process
PID 3820 set thread context of 3868	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

712 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe

description pid process

Token: SeShutdownPrivilege 3868 3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe

pid	process
712	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	3868	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe

pid	process
3868	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
3868	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.execmd.exe

description	pid	process	target process
PID 3820 wrote to memory of 3868	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 3820 wrote to memory of 3868	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 3820 wrote to memory of 3868	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 3820 wrote to memory of 3868	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 3820 wrote to memory of 3868	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 3820 wrote to memory of 3868	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 3820 wrote to memory of 3868	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 3820 wrote to memory of 3868	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 3820 wrote to memory of 3868	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 3820 wrote to memory of 3868	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 3820 wrote to memory of 3868	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
PID 3820 wrote to memory of 4540	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	cmd.exe
PID 3820 wrote to memory of 4540	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	cmd.exe
PID 3820 wrote to memory of 4540	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	cmd.exe
PID 3820 wrote to memory of 372	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	cmd.exe
PID 3820 wrote to memory of 372	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	cmd.exe
PID 3820 wrote to memory of 372	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	cmd.exe
PID 3820 wrote to memory of 2320	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	cmd.exe
PID 3820 wrote to memory of 2320	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	cmd.exe
PID 3820 wrote to memory of 2320	3820	3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe	cmd.exe
PID 372 wrote to memory of 712	372	cmd.exe	schtasks.exe
PID 372 wrote to memory of 712	372	cmd.exe	schtasks.exe
PID 372 wrote to memory of 712	372	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
"C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3820

C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe
"C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3868

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\hope"
2⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hope\hope.exe'" /f
3⤵
- Creates scheduled task(s)
PID:712

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\3e6692760e61b3e71675a24f7b5b50cde09cabf750ede2a9a365c8e482c61943.exe" "C:\Users\Admin\AppData\Roaming\hope\hope.exe"
2⤵
PID:2320

C:\Users\Admin\AppData\Roaming\hope\hope.exe
C:\Users\Admin\AppData\Roaming\hope\hope.exe
1⤵
- Executes dropped EXE
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\hope\hope.exe
Filesize
5.9MB

MD5
a7ad29828532e1fe8877ab489b6cf157

SHA1
3b6b6a0a251591a1a4be3ed5888472fc3df0ad08

SHA256
7e12c70b8b77edb78ffef8e16b52a8696a7f0a92b6ddfe501e66bf568acb54e3

SHA512
0e987a47131d834e18e73eab730c44d797baf272d3a04d68ce857adebb4edca6980b816d832f78b7dcac5ca40802df00c04cfe9022776e47e68b2025ae495f7e

Download Submit
C:\Users\Admin\AppData\Roaming\hope\hope.exe
Filesize
3.9MB

MD5
5a0988578aa3de35d3798e11e04ac20a

SHA1
cbd35d34d9783cb22f9fc12fe6c897c054b6ec3b

SHA256
4c745243c33dbe67310b528b195e630b86fbcc733ef3397d3fa927c4f4f14aeb

SHA512
a87bed93d1861225ba0693dcb65c5af3921b4c798fdbcd850c9890d026fbe5680996d5597534943be8ca859216de1ec2783b834046699366c4b95f0b8ae9715e

Download Submit
memory/3820-10-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/3820-1-0x0000000000AA0000-0x0000000001234000-memory.dmp

Filesize
7.6MB

Download
memory/3820-2-0x0000000006190000-0x0000000006734000-memory.dmp

Filesize
5.6MB

Download
memory/3820-3-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/3820-4-0x0000000007740000-0x0000000007ECA000-memory.dmp

Filesize
7.5MB

Download
memory/3820-0-0x0000000074620000-0x0000000074DD0000-memory.dmp

Filesize
7.7MB

Download
memory/3868-15-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3868-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3868-13-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3868-14-0x0000000074530000-0x0000000074569000-memory.dmp

Filesize
228KB

Download
memory/3868-7-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3868-16-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3868-17-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3868-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3868-19-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3868-9-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3868-21-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3868-22-0x00000000748D0000-0x0000000074909000-memory.dmp

Filesize
228KB

Download
memory/3868-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3868-24-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3868-25-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3868-26-0x00000000748D0000-0x0000000074909000-memory.dmp

Filesize
228KB

Download
memory/3868-6-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3868-5-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4564-29-0x0000000073C20000-0x00000000743D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads