bitrat | 752de4a31961533190547dd1fe03bc8c0c0178c3a8512582ae56266e27e32c17

General

Target

1540c36f7454d7fc450d9ba1df2d0b27.exe
Size

4.0MB
MD5

1540c36f7454d7fc450d9ba1df2d0b27
SHA1

e67371197f6a0b3731f787d11db284f3d684997b
SHA256

752de4a31961533190547dd1fe03bc8c0c0178c3a8512582ae56266e27e32c17
SHA512

dde9a094e7e8089a2342c63a33a9e8c8cb46d4c341e7f8ff84489757928306d39172cf89e69ec56f3568cf5f8aa3ce7cadebb65d3058b14916e6444a92525162
SSDEEP

98304:OwyTkXTVa2bSFV5zNUFzbXottPXD5BYaHiuhg:OVkXTVaummbXott/9CM

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

8.208.27.150:4550

Attributes

communication_password
9996535e07258a7bbfd8b132435c5962
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

pcshield.exe

pid process

2940 pcshield.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegAsm.exeRegAsm.exe

pid process

1248 RegAsm.exe
1248 RegAsm.exe
1248 RegAsm.exe
1248 RegAsm.exe
572 RegAsm.exe

pid	process
2940	pcshield.exe

pid	process
1248	RegAsm.exe
1248	RegAsm.exe
1248	RegAsm.exe
1248	RegAsm.exe
572	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1540c36f7454d7fc450d9ba1df2d0b27.exepcshield.exe

description	pid	process	target process
PID 3032 set thread context of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 2940 set thread context of 572	2940	pcshield.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

560 schtasks.exe

pid	process
560	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

1540c36f7454d7fc450d9ba1df2d0b27.exeRegAsm.exepcshield.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe
Token: SeDebugPrivilege	1248	RegAsm.exe
Token: SeShutdownPrivilege	1248	RegAsm.exe
Token: SeDebugPrivilege	2940	pcshield.exe
Token: SeDebugPrivilege	572	RegAsm.exe
Token: SeShutdownPrivilege	572	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

1248 RegAsm.exe
1248 RegAsm.exe

pid	process
1248	RegAsm.exe
1248	RegAsm.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

1540c36f7454d7fc450d9ba1df2d0b27.execmd.exetaskeng.exepcshield.exe

description	pid	process	target process
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 1248	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	RegAsm.exe
PID 3032 wrote to memory of 744	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	cmd.exe
PID 3032 wrote to memory of 744	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	cmd.exe
PID 3032 wrote to memory of 744	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	cmd.exe
PID 3032 wrote to memory of 744	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	cmd.exe
PID 3032 wrote to memory of 2648	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	cmd.exe
PID 3032 wrote to memory of 2648	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	cmd.exe
PID 3032 wrote to memory of 2648	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	cmd.exe
PID 3032 wrote to memory of 2648	3032	1540c36f7454d7fc450d9ba1df2d0b27.exe	cmd.exe
PID 744 wrote to memory of 560	744	cmd.exe	schtasks.exe
PID 744 wrote to memory of 560	744	cmd.exe	schtasks.exe
PID 744 wrote to memory of 560	744	cmd.exe	schtasks.exe
PID 744 wrote to memory of 560	744	cmd.exe	schtasks.exe
PID 2252 wrote to memory of 2940	2252	taskeng.exe	pcshield.exe
PID 2252 wrote to memory of 2940	2252	taskeng.exe	pcshield.exe
PID 2252 wrote to memory of 2940	2252	taskeng.exe	pcshield.exe
PID 2252 wrote to memory of 2940	2252	taskeng.exe	pcshield.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe
PID 2940 wrote to memory of 572	2940	pcshield.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\1540c36f7454d7fc450d9ba1df2d0b27.exe
"C:\Users\Admin\AppData\Local\Temp\1540c36f7454d7fc450d9ba1df2d0b27.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\pcshield\pcshield.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\pcshield\pcshield.exe'" /f
3⤵
- Creates scheduled task(s)
PID:560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\1540c36f7454d7fc450d9ba1df2d0b27.exe" "C:\Users\Admin\AppData\Local\Temp\pcshield\pcshield.exe"
2⤵
PID:2648

C:\Windows\system32\taskeng.exe
taskeng.exe {13C7BE87-66DC-482D-B365-43E49C9C4850} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\pcshield\pcshield.exe
C:\Users\Admin\AppData\Local\Temp\pcshield\pcshield.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pcshield\pcshield.exe
Filesize
1.6MB

MD5
1904ee2a6bbbe7abd5e0da19103941fc

SHA1
8da35872b075ef1e85cc23abd319804085aa3e37

SHA256
2a35bdd73eb00e69f7096892331c4fd22f7446a9a5267b173d962079127c894f

SHA512
097e070b48aa9b906236e91c6083e9467bd537bc6630feec7a4ba8a8b3688acc10e4614821f0516646a1c8e093b27a28aaf58d5f1607fa6b2bb191cd9ce696d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcshield\pcshield.exe
Filesize
325KB

MD5
2c246b01b2433dcc797cc4b856c8264c

SHA1
b645cb4aa7dc712084ff93e3941e5beca0677286

SHA256
7baecd236b23b16df57149f501e9c60df6dbd206d9f4d28b69d08d804d763ebf

SHA512
dd87039a953d4cec57ba4acc019bbb66a8e900f8f61831af18b6708f4fdddafddba196ee574e55486f585591d1f9758b1fa993de961dc14f60305e1a12f366ec

Download Submit
memory/572-69-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-68-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-67-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-65-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-15-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-36-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-11-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-12-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1248-71-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-20-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-24-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-25-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-26-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-27-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-29-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-28-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-30-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-31-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-32-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-33-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-70-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-3-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-10-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-37-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-38-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-39-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-5-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-43-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-44-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-9-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1248-7-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/2940-48-0x0000000000C40000-0x000000000104C000-memory.dmp

Filesize
4.0MB

Download
memory/2940-47-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2940-49-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/2940-72-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/2940-73-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/3032-40-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-35-0x0000000000750000-0x0000000000790000-memory.dmp

Filesize
256KB

Download
memory/3032-2-0x0000000000750000-0x0000000000790000-memory.dmp

Filesize
256KB

Download
memory/3032-1-0x0000000000330000-0x000000000073C000-memory.dmp

Filesize
4.0MB

Download
memory/3032-34-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-0-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads