bitrat | 752de4a31961533190547dd1fe03bc8c0c0178c3a8512582ae56266e27e32c17

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-12-2023 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1540c36f7454d7fc450d9ba1df2d0b27.exe
Size

4.0MB
MD5

1540c36f7454d7fc450d9ba1df2d0b27
SHA1

e67371197f6a0b3731f787d11db284f3d684997b
SHA256

752de4a31961533190547dd1fe03bc8c0c0178c3a8512582ae56266e27e32c17
SHA512

dde9a094e7e8089a2342c63a33a9e8c8cb46d4c341e7f8ff84489757928306d39172cf89e69ec56f3568cf5f8aa3ce7cadebb65d3058b14916e6444a92525162
SSDEEP

98304:OwyTkXTVa2bSFV5zNUFzbXottPXD5BYaHiuhg:OVkXTVaummbXott/9CM

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

8.208.27.150:4550

Attributes

communication_password
9996535e07258a7bbfd8b132435c5962
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Executes dropped EXE 1 IoCs

pid	Process
2940	pcshield.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1248	RegAsm.exe
1248	RegAsm.exe
1248	RegAsm.exe
1248	RegAsm.exe
572	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 2940 set thread context of 572	2940	pcshield.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
560	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe
Token: SeDebugPrivilege	1248	RegAsm.exe
Token: SeShutdownPrivilege	1248	RegAsm.exe
Token: SeDebugPrivilege	2940	pcshield.exe
Token: SeDebugPrivilege	572	RegAsm.exe
Token: SeShutdownPrivilege	572	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1248	RegAsm.exe
1248	RegAsm.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	28
PID 3032 wrote to memory of 744	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	31
PID 3032 wrote to memory of 744	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	31
PID 3032 wrote to memory of 744	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	31
PID 3032 wrote to memory of 744	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	31
PID 3032 wrote to memory of 2648	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	33
PID 3032 wrote to memory of 2648	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	33
PID 3032 wrote to memory of 2648	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	33
PID 3032 wrote to memory of 2648	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	33
PID 744 wrote to memory of 560	744	cmd.exe	35
PID 744 wrote to memory of 560	744	cmd.exe	35
PID 744 wrote to memory of 560	744	cmd.exe	35
PID 744 wrote to memory of 560	744	cmd.exe	35
PID 2252 wrote to memory of 2940	2252	taskeng.exe	37
PID 2252 wrote to memory of 2940	2252	taskeng.exe	37
PID 2252 wrote to memory of 2940	2252	taskeng.exe	37
PID 2252 wrote to memory of 2940	2252	taskeng.exe	37
PID 2940 wrote to memory of 572	2940	pcshield.exe	38
PID 2940 wrote to memory of 572	2940	pcshield.exe	38
PID 2940 wrote to memory of 572	2940	pcshield.exe	38
PID 2940 wrote to memory of 572	2940	pcshield.exe	38
PID 2940 wrote to memory of 572	2940	pcshield.exe	38
PID 2940 wrote to memory of 572	2940	pcshield.exe	38
PID 2940 wrote to memory of 572	2940	pcshield.exe	38
PID 2940 wrote to memory of 572	2940	pcshield.exe	38
PID 2940 wrote to memory of 572	2940	pcshield.exe	38
PID 2940 wrote to memory of 572	2940	pcshield.exe	38
PID 2940 wrote to memory of 572	2940	pcshield.exe	38
PID 2940 wrote to memory of 572	2940	pcshield.exe	38
PID 2940 wrote to memory of 572	2940	pcshield.exe	38
PID 2940 wrote to memory of 572	2940	pcshield.exe	38
PID 2940 wrote to memory of 572	2940	pcshield.exe	38

C:\Users\Admin\AppData\Local\Temp\1540c36f7454d7fc450d9ba1df2d0b27.exe
"C:\Users\Admin\AppData\Local\Temp\1540c36f7454d7fc450d9ba1df2d0b27.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\pcshield\pcshield.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\pcshield\pcshield.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\1540c36f7454d7fc450d9ba1df2d0b27.exe" "C:\Users\Admin\AppData\Local\Temp\pcshield\pcshield.exe"
  2⤵
  PID:2648

C:\Windows\system32\taskeng.exe
taskeng.exe {13C7BE87-66DC-482D-B365-43E49C9C4850} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\pcshield\pcshield.exe
  C:\Users\Admin\AppData\Local\Temp\pcshield\pcshield.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pcshield\pcshield.exe

Filesize
1.6MB

MD5
1904ee2a6bbbe7abd5e0da19103941fc

SHA1
8da35872b075ef1e85cc23abd319804085aa3e37

SHA256
2a35bdd73eb00e69f7096892331c4fd22f7446a9a5267b173d962079127c894f

SHA512
097e070b48aa9b906236e91c6083e9467bd537bc6630feec7a4ba8a8b3688acc10e4614821f0516646a1c8e093b27a28aaf58d5f1607fa6b2bb191cd9ce696d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcshield\pcshield.exe

Filesize
325KB

MD5
2c246b01b2433dcc797cc4b856c8264c

SHA1
b645cb4aa7dc712084ff93e3941e5beca0677286

SHA256
7baecd236b23b16df57149f501e9c60df6dbd206d9f4d28b69d08d804d763ebf

SHA512
dd87039a953d4cec57ba4acc019bbb66a8e900f8f61831af18b6708f4fdddafddba196ee574e55486f585591d1f9758b1fa993de961dc14f60305e1a12f366ec

Download Submit
memory/572-69-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-68-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-67-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-65-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-15-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-36-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-11-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-12-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1248-71-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-20-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-24-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-25-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-26-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-27-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-29-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-28-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-30-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-31-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-32-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-33-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-70-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-3-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-10-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-37-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-38-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-39-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-5-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-43-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-44-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-9-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-7-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/2940-48-0x0000000000C40000-0x000000000104C000-memory.dmp

Filesize
4.0MB

Download
memory/2940-47-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2940-49-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/2940-72-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2940-73-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/3032-40-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-35-0x0000000000750000-0x0000000000790000-memory.dmp

Filesize
256KB

Download
memory/3032-2-0x0000000000750000-0x0000000000790000-memory.dmp

Filesize
256KB

Download
memory/3032-1-0x0000000000330000-0x000000000073C000-memory.dmp

Filesize
4.0MB

Download
memory/3032-34-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-0-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads