bitrat | 08b44be5d6721d2b20fa1de5fa8d1f80d84d9d424f6fefc06b01a9a81670aec8

General

Target

8924a53be46439d1c258a10b59596b77.exe
Size

3.0MB
MD5

8924a53be46439d1c258a10b59596b77
SHA1

6cf13347e475772a66e67f5f529a908956dfd00d
SHA256

08b44be5d6721d2b20fa1de5fa8d1f80d84d9d424f6fefc06b01a9a81670aec8
SHA512

b322d44280e7eff437d0c429f6cfd7af7cf05ea0a8598a9dd42a89b1b6712a1c5f80f1a676d7e1eaf71188f82b68e5c32078e3b376efea97c81df2d594b8eeab
SSDEEP

49152:YJXZRkXRxWCBu72E76E5jXVL5w9lmVOALga7n0Yy:Ky

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

194.33.45.3:4898

Attributes

communication_password
89ec00ac3524ab4f7edd70785d23e302
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Nirsoft 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid process

1224 AdvancedRun.exe
944 AdvancedRun.exe
892 AdvancedRun.exe
2628 AdvancedRun.exe

pid	process
1224	AdvancedRun.exe
944	AdvancedRun.exe
892	AdvancedRun.exe
2628	AdvancedRun.exe

Loads dropped DLL 8 IoCs

Processes:

8924a53be46439d1c258a10b59596b77.exeAdvancedRun.exeAdvancedRun.exe

pid	process
776	8924a53be46439d1c258a10b59596b77.exe
776	8924a53be46439d1c258a10b59596b77.exe
1224	AdvancedRun.exe
1224	AdvancedRun.exe
776	8924a53be46439d1c258a10b59596b77.exe
776	8924a53be46439d1c258a10b59596b77.exe
892	AdvancedRun.exe
892	AdvancedRun.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

8924a53be46439d1c258a10b59596b77.exe

pid	process
2116	8924a53be46439d1c258a10b59596b77.exe
2116	8924a53be46439d1c258a10b59596b77.exe
2116	8924a53be46439d1c258a10b59596b77.exe
2116	8924a53be46439d1c258a10b59596b77.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8924a53be46439d1c258a10b59596b77.exe

description pid process target process

PID 776 set thread context of 2116 776 8924a53be46439d1c258a10b59596b77.exe 8924a53be46439d1c258a10b59596b77.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 776 set thread context of 2116	776	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe8924a53be46439d1c258a10b59596b77.exepowershell.exe

pid	process
2860	powershell.exe
2824	powershell.exe
2592	powershell.exe
1224	AdvancedRun.exe
1224	AdvancedRun.exe
944	AdvancedRun.exe
944	AdvancedRun.exe
892	AdvancedRun.exe
892	AdvancedRun.exe
2628	AdvancedRun.exe
2628	AdvancedRun.exe
776	8924a53be46439d1c258a10b59596b77.exe
776	8924a53be46439d1c258a10b59596b77.exe
776	8924a53be46439d1c258a10b59596b77.exe
776	8924a53be46439d1c258a10b59596b77.exe
776	8924a53be46439d1c258a10b59596b77.exe
2084	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

8924a53be46439d1c258a10b59596b77.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepowershell.exe8924a53be46439d1c258a10b59596b77.exe

description	pid	process
Token: SeDebugPrivilege	776	8924a53be46439d1c258a10b59596b77.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1224	AdvancedRun.exe
Token: SeImpersonatePrivilege	1224	AdvancedRun.exe
Token: SeDebugPrivilege	944	AdvancedRun.exe
Token: SeImpersonatePrivilege	944	AdvancedRun.exe
Token: SeDebugPrivilege	892	AdvancedRun.exe
Token: SeImpersonatePrivilege	892	AdvancedRun.exe
Token: SeDebugPrivilege	2628	AdvancedRun.exe
Token: SeImpersonatePrivilege	2628	AdvancedRun.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2116	8924a53be46439d1c258a10b59596b77.exe
Token: SeShutdownPrivilege	2116	8924a53be46439d1c258a10b59596b77.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8924a53be46439d1c258a10b59596b77.exe

pid process

2116 8924a53be46439d1c258a10b59596b77.exe
2116 8924a53be46439d1c258a10b59596b77.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

8924a53be46439d1c258a10b59596b77.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process	target process
PID 776 wrote to memory of 2860	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2860	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2860	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2860	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2824	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2824	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2824	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2824	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2592	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2592	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2592	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2592	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 1224	776	8924a53be46439d1c258a10b59596b77.exe	AdvancedRun.exe
PID 776 wrote to memory of 1224	776	8924a53be46439d1c258a10b59596b77.exe	AdvancedRun.exe
PID 776 wrote to memory of 1224	776	8924a53be46439d1c258a10b59596b77.exe	AdvancedRun.exe
PID 776 wrote to memory of 1224	776	8924a53be46439d1c258a10b59596b77.exe	AdvancedRun.exe
PID 1224 wrote to memory of 944	1224	AdvancedRun.exe	AdvancedRun.exe
PID 1224 wrote to memory of 944	1224	AdvancedRun.exe	AdvancedRun.exe
PID 1224 wrote to memory of 944	1224	AdvancedRun.exe	AdvancedRun.exe
PID 1224 wrote to memory of 944	1224	AdvancedRun.exe	AdvancedRun.exe
PID 776 wrote to memory of 892	776	8924a53be46439d1c258a10b59596b77.exe	AdvancedRun.exe
PID 776 wrote to memory of 892	776	8924a53be46439d1c258a10b59596b77.exe	AdvancedRun.exe
PID 776 wrote to memory of 892	776	8924a53be46439d1c258a10b59596b77.exe	AdvancedRun.exe
PID 776 wrote to memory of 892	776	8924a53be46439d1c258a10b59596b77.exe	AdvancedRun.exe
PID 892 wrote to memory of 2628	892	AdvancedRun.exe	AdvancedRun.exe
PID 892 wrote to memory of 2628	892	AdvancedRun.exe	AdvancedRun.exe
PID 892 wrote to memory of 2628	892	AdvancedRun.exe	AdvancedRun.exe
PID 892 wrote to memory of 2628	892	AdvancedRun.exe	AdvancedRun.exe
PID 776 wrote to memory of 2084	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2084	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2084	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2084	776	8924a53be46439d1c258a10b59596b77.exe	powershell.exe
PID 776 wrote to memory of 2116	776	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 776 wrote to memory of 2116	776	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 776 wrote to memory of 2116	776	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 776 wrote to memory of 2116	776	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 776 wrote to memory of 2116	776	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 776 wrote to memory of 2116	776	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 776 wrote to memory of 2116	776	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 776 wrote to memory of 2116	776	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 776 wrote to memory of 2116	776	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 776 wrote to memory of 2116	776	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 776 wrote to memory of 2116	776	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe
PID 776 wrote to memory of 2116	776	8924a53be46439d1c258a10b59596b77.exe	8924a53be46439d1c258a10b59596b77.exe

C:\Users\Admin\AppData\Local\Temp\8924a53be46439d1c258a10b59596b77.exe
"C:\Users\Admin\AppData\Local\Temp\8924a53be46439d1c258a10b59596b77.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 1224
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 892
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\8924a53be46439d1c258a10b59596b77.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Users\Admin\AppData\Local\Temp\8924a53be46439d1c258a10b59596b77.exe
C:\Users\Admin\AppData\Local\Temp\8924a53be46439d1c258a10b59596b77.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
ced9e8396bb2102eaad7aca7cb49b7f0

SHA1
6ce1eca51014129eddef95c8f0a8226ca9701a4f

SHA256
899c0749f593c6d93e9491217a960748a27e2890db41f352200d89561a719f00

SHA512
73fc4fdc084f83eacaaaf284f3b8e81dd348d56426e0962bd6ca819c3efb068a2fd1c80853119ec3467953a36b21053c04ac1f3ed6b796e6347c13f6558aed03

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/776-18-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/776-0-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/776-2-0x0000000004A20000-0x0000000004A60000-memory.dmp

Filesize
256KB

Download
memory/776-76-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/776-1-0x0000000000E70000-0x0000000001166000-memory.dmp

Filesize
3.0MB

Download
memory/776-33-0x0000000005890000-0x0000000005A6A000-memory.dmp

Filesize
1.9MB

Download
memory/776-32-0x0000000005540000-0x0000000005736000-memory.dmp

Filesize
2.0MB

Download
memory/776-19-0x0000000004A20000-0x0000000004A60000-memory.dmp

Filesize
256KB

Download
memory/2084-65-0x0000000070080000-0x000000007062B000-memory.dmp

Filesize
5.7MB

Download
memory/2084-60-0x0000000070080000-0x000000007062B000-memory.dmp

Filesize
5.7MB

Download
memory/2084-86-0x0000000070080000-0x000000007062B000-memory.dmp

Filesize
5.7MB

Download
memory/2084-71-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2084-70-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2084-68-0x0000000070080000-0x000000007062B000-memory.dmp

Filesize
5.7MB

Download
memory/2084-62-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/2116-78-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-69-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-90-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-89-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-88-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-87-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-85-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-84-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-83-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-61-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-81-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-66-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-64-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-59-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-58-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-79-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-67-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-77-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-74-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2116-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2592-30-0x00000000023F0000-0x0000000002430000-memory.dmp

Filesize
256KB

Download
memory/2592-29-0x00000000023F0000-0x0000000002430000-memory.dmp

Filesize
256KB

Download
memory/2592-26-0x0000000071C10000-0x00000000721BB000-memory.dmp

Filesize
5.7MB

Download
memory/2592-27-0x00000000023F0000-0x0000000002430000-memory.dmp

Filesize
256KB

Download
memory/2592-28-0x0000000071C10000-0x00000000721BB000-memory.dmp

Filesize
5.7MB

Download
memory/2592-31-0x0000000071C10000-0x00000000721BB000-memory.dmp

Filesize
5.7MB

Download
memory/2824-16-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/2824-20-0x0000000071A30000-0x0000000071FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2824-17-0x0000000071A30000-0x0000000071FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2824-15-0x0000000071A30000-0x0000000071FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-6-0x0000000071C10000-0x00000000721BB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-8-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2860-9-0x0000000071C10000-0x00000000721BB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-7-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2860-5-0x0000000071C10000-0x00000000721BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads