bitrat | 4420228e7fcc165d098da14380b8f81027d7a8b061828cafcfaf66b495821c98

General

Target

3501e786be4bd0373ffb6c26400aa5b8.exe
Size

4.3MB
MD5

3501e786be4bd0373ffb6c26400aa5b8
SHA1

1abb20babb5f280a0896f9a63b9c30e65149c8ac
SHA256

4420228e7fcc165d098da14380b8f81027d7a8b061828cafcfaf66b495821c98
SHA512

455eaaa5cb0d21662eb645e039465080e1312438b63400a36010e41a8ec29990914d88ec9043561d87fbdfcff2199b9ee5844f30ea362849f2b640b1f73f1049
SSDEEP

98304:lgv1yLNN5DwMZCEwEQhTYPL6iezQhNQOzhNgqEmYDpPj:lgcBPL/wzhTY8zQh/hNgqfYN

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

185.157.160.147:1975

Attributes

communication_password
f49a6667c09a9e329afb64bc0a18a188
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\am = "C:\\Users\\Admin\\AppData\\Roaming\\aw\\ar.exe"	3501e786be4bd0373ffb6c26400aa5b8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2900	3501e786be4bd0373ffb6c26400aa5b8.exe
2900	3501e786be4bd0373ffb6c26400aa5b8.exe
2900	3501e786be4bd0373ffb6c26400aa5b8.exe
2900	3501e786be4bd0373ffb6c26400aa5b8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 2900	2192	3501e786be4bd0373ffb6c26400aa5b8.exe	28

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	3501e786be4bd0373ffb6c26400aa5b8.exe
Token: SeShutdownPrivilege	2900	3501e786be4bd0373ffb6c26400aa5b8.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2192	3501e786be4bd0373ffb6c26400aa5b8.exe
2900	3501e786be4bd0373ffb6c26400aa5b8.exe
2900	3501e786be4bd0373ffb6c26400aa5b8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2900	2192	3501e786be4bd0373ffb6c26400aa5b8.exe	28
PID 2192 wrote to memory of 2900	2192	3501e786be4bd0373ffb6c26400aa5b8.exe	28
PID 2192 wrote to memory of 2900	2192	3501e786be4bd0373ffb6c26400aa5b8.exe	28
PID 2192 wrote to memory of 2900	2192	3501e786be4bd0373ffb6c26400aa5b8.exe	28
PID 2192 wrote to memory of 2900	2192	3501e786be4bd0373ffb6c26400aa5b8.exe	28
PID 2192 wrote to memory of 2900	2192	3501e786be4bd0373ffb6c26400aa5b8.exe	28
PID 2192 wrote to memory of 2900	2192	3501e786be4bd0373ffb6c26400aa5b8.exe	28
PID 2192 wrote to memory of 2900	2192	3501e786be4bd0373ffb6c26400aa5b8.exe	28
PID 2192 wrote to memory of 2900	2192	3501e786be4bd0373ffb6c26400aa5b8.exe	28
PID 2192 wrote to memory of 2900	2192	3501e786be4bd0373ffb6c26400aa5b8.exe	28
PID 2192 wrote to memory of 2900	2192	3501e786be4bd0373ffb6c26400aa5b8.exe	28
PID 2192 wrote to memory of 2900	2192	3501e786be4bd0373ffb6c26400aa5b8.exe	28

C:\Users\Admin\AppData\Local\Temp\3501e786be4bd0373ffb6c26400aa5b8.exe
"C:\Users\Admin\AppData\Local\Temp\3501e786be4bd0373ffb6c26400aa5b8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\3501e786be4bd0373ffb6c26400aa5b8.exe
  "C:\Users\Admin\AppData\Local\Temp\3501e786be4bd0373ffb6c26400aa5b8.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2900-4-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-6-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-7-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-8-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-9-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-10-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-11-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-12-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-13-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-14-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-15-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-16-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-19-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-24-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-25-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-29-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-30-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-35-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-36-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads