bitrat | d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0

General

Target

docbit20230908.exe
Size

400.0MB
MD5

81e0872e2be9487534ddd879b05e6f62
SHA1

f97c783cb79036a9f2ff27e70a182f1b6919da18
SHA256

d54df888565db74fd2065bfa327e5b5d2476df10564a25f2b99f3bf7f9504ab0
SHA512

40bfff8cb99869510332a8f2c4f62a354de1ed0aa02fcef522c38deecac90c5429a19ee31c1d3eac6bf10f3e7e9cd3439891c949f5d2763bf2463d7bcdab6f90
SSDEEP

98304:XZ7MAV7nUqgfiWsNkFi589X/JiQGTfZ5MULBhT8i4wv7:XZ7tVDUq6iPkFiedRiQePLBpUw

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

homesafe1000.duckdns.org:1234

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

4792 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

docbit20230908.exe

description pid process target process

PID 3004 set thread context of 2084 3004 docbit20230908.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4380 2084 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2516 schtasks.exe

pid	process
4792	svchost.exe

description	pid	process	target process
PID 3004 set thread context of 2084	3004	docbit20230908.exe	RegAsm.exe

pid	pid_target	process	target process
4380	2084	WerFault.exe	RegAsm.exe

pid	process
2516	schtasks.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

docbit20230908.execmd.exe

description	pid	process	target process
PID 3004 wrote to memory of 2084	3004	docbit20230908.exe	RegAsm.exe
PID 3004 wrote to memory of 2084	3004	docbit20230908.exe	RegAsm.exe
PID 3004 wrote to memory of 2084	3004	docbit20230908.exe	RegAsm.exe
PID 3004 wrote to memory of 2084	3004	docbit20230908.exe	RegAsm.exe
PID 3004 wrote to memory of 2084	3004	docbit20230908.exe	RegAsm.exe
PID 3004 wrote to memory of 2084	3004	docbit20230908.exe	RegAsm.exe
PID 3004 wrote to memory of 2084	3004	docbit20230908.exe	RegAsm.exe
PID 3004 wrote to memory of 2084	3004	docbit20230908.exe	RegAsm.exe
PID 3004 wrote to memory of 2084	3004	docbit20230908.exe	RegAsm.exe
PID 3004 wrote to memory of 2084	3004	docbit20230908.exe	RegAsm.exe
PID 3004 wrote to memory of 2084	3004	docbit20230908.exe	RegAsm.exe
PID 3004 wrote to memory of 3464	3004	docbit20230908.exe	cmd.exe
PID 3004 wrote to memory of 3464	3004	docbit20230908.exe	cmd.exe
PID 3004 wrote to memory of 3464	3004	docbit20230908.exe	cmd.exe
PID 3004 wrote to memory of 1920	3004	docbit20230908.exe	cmd.exe
PID 3004 wrote to memory of 1920	3004	docbit20230908.exe	cmd.exe
PID 3004 wrote to memory of 1920	3004	docbit20230908.exe	cmd.exe
PID 3004 wrote to memory of 1872	3004	docbit20230908.exe	cmd.exe
PID 3004 wrote to memory of 1872	3004	docbit20230908.exe	cmd.exe
PID 3004 wrote to memory of 1872	3004	docbit20230908.exe	cmd.exe
PID 1920 wrote to memory of 2516	1920	cmd.exe	schtasks.exe
PID 1920 wrote to memory of 2516	1920	cmd.exe	schtasks.exe
PID 1920 wrote to memory of 2516	1920	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe
"C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 540
3⤵
- Program crash
PID:4380

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\docbit20230908.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2084 -ip 2084
1⤵
PID:3112

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
1.2MB

MD5
95a5e311796bc58c13c63ca0b265670c

SHA1
260cc604b669fb8c16cd2a2df09b13417b0c5752

SHA256
d456e464f553687d60c65119dc0d6806f3f610dda2f20fd85ad535a486c0d0a4

SHA512
b73cef59a652293b9783ad6c1674f7691122bfce35a1f3474072a7d2a43171478621ec1640612b47d296427211cfea122cdba268921a3be667e23efe6bc13b2a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
1.6MB

MD5
6c91392709935a32f7784e6cc7a4430a

SHA1
6d02ae73900d758ab509410a2512e2154f1f0595

SHA256
0cfe393681b073e2634167e2554e654f93eacbb02de04e2f18f66f360f137d86

SHA512
4c9c66046dc21a54e6d9b9a5a8221a56b9146da4808c75d6be8029b7f544cfa1cb102eeb5246000f60897c737327d923fcbbe69da8937d75b179f0ac45accc21

Download Submit
memory/2084-19-0x0000000000A10000-0x0000000000DDE000-memory.dmp

Filesize
3.8MB

Download
memory/2084-18-0x0000000000A10000-0x0000000000DDE000-memory.dmp

Filesize
3.8MB

Download
memory/2084-22-0x0000000000A10000-0x0000000000DDE000-memory.dmp

Filesize
3.8MB

Download
memory/2084-5-0x0000000000A10000-0x0000000000DDE000-memory.dmp

Filesize
3.8MB

Download
memory/2084-21-0x0000000000A10000-0x0000000000DDE000-memory.dmp

Filesize
3.8MB

Download
memory/2084-11-0x0000000000A10000-0x0000000000DDE000-memory.dmp

Filesize
3.8MB

Download
memory/2084-15-0x0000000000A10000-0x0000000000DDE000-memory.dmp

Filesize
3.8MB

Download
memory/2084-16-0x0000000000A10000-0x0000000000DDE000-memory.dmp

Filesize
3.8MB

Download
memory/2084-17-0x0000000000A10000-0x0000000000DDE000-memory.dmp

Filesize
3.8MB

Download
memory/2084-20-0x0000000000A10000-0x0000000000DDE000-memory.dmp

Filesize
3.8MB

Download
memory/3004-1-0x0000000000AC0000-0x0000000000EC2000-memory.dmp

Filesize
4.0MB

Download
memory/3004-3-0x00000000752E0000-0x0000000075A90000-memory.dmp

Filesize
7.7MB

Download
memory/3004-9-0x00000000752E0000-0x0000000075A90000-memory.dmp

Filesize
7.7MB

Download
memory/3004-4-0x0000000005990000-0x0000000005D58000-memory.dmp

Filesize
3.8MB

Download
memory/3004-2-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/3004-0-0x00000000752E0000-0x0000000075A90000-memory.dmp

Filesize
7.7MB

Download
memory/4792-27-0x00000000752E0000-0x0000000075A90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads