bitrat | 2a2b320e2b0c6eb5cee277f322938feb883dc9af94c3db75afb9905cbf1c473d

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68da50b47b7350bb7b4a36a4e11fcff4.exe
Size

4.4MB
MD5

68da50b47b7350bb7b4a36a4e11fcff4
SHA1

2e9ce8293812f916a1b457bfd8d0ef4cb82ca24e
SHA256

2a2b320e2b0c6eb5cee277f322938feb883dc9af94c3db75afb9905cbf1c473d
SHA512

9b63ea8764b82776a408075290ceefb3666e3c69bddb9a487f43327e2b22cccc3b7d75bcffbd53f3c3967f4197ad0d1b233f3ed5db6125bd8b440cd0eabc30c8
SSDEEP

98304:vcZtS2zFA6p8m4aB7Dcy5Yf0OCnLvx803lL0OHOfH5RQKQIiYfbHgdJUDD:eS2zFAdK0FcnvW03yOHOfH5RQKQIiYf/

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

8.208.27.150:4550

Attributes

communication_password
9996535e07258a7bbfd8b132435c5962
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	68da50b47b7350bb7b4a36a4e11fcff4.exe

Executes dropped EXE 1 IoCs

pid	Process
1908	PcSafety.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1312 set thread context of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	91
PID 1908 set thread context of 3844	1908	PcSafety.exe	118

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3576	4588	WerFault.exe	91
1592	3844	WerFault.exe	118

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3624	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe
Token: SeDebugPrivilege	1908	PcSafety.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	91
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	91
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	91
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	91
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	91
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	91
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	91
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	91
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	91
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	91
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	91
PID 1312 wrote to memory of 4940	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	112
PID 1312 wrote to memory of 4940	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	112
PID 1312 wrote to memory of 4940	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	112
PID 1312 wrote to memory of 2240	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	114
PID 1312 wrote to memory of 2240	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	114
PID 1312 wrote to memory of 2240	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	114
PID 4940 wrote to memory of 3624	4940	cmd.exe	116
PID 4940 wrote to memory of 3624	4940	cmd.exe	116
PID 4940 wrote to memory of 3624	4940	cmd.exe	116
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	118
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	118
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	118
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	118
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	118
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	118
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	118
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	118
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	118
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	118
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	118

C:\Users\Admin\AppData\Local\Temp\68da50b47b7350bb7b4a36a4e11fcff4.exe
"C:\Users\Admin\AppData\Local\Temp\68da50b47b7350bb7b4a36a4e11fcff4.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 540
    3⤵
    - Program crash
    PID:3576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\PcSafety\PcSafety.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\PcSafety\PcSafety.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\68da50b47b7350bb7b4a36a4e11fcff4.exe" "C:\Users\Admin\AppData\Local\Temp\PcSafety\PcSafety.exe"
  2⤵
  PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4588 -ip 4588
1⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\PcSafety\PcSafety.exe
C:\Users\Admin\AppData\Local\Temp\PcSafety\PcSafety.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 200
    3⤵
    - Program crash
    PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3844 -ip 3844
1⤵
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PcSafety\PcSafety.exe

Filesize
1.7MB

MD5
55427007b8a27223d51e520fa2e97550

SHA1
edd880812f0a1cea2b95318a01f9e228161f6926

SHA256
aa29d6c32b1e78a47220e36d81f7f9de8cb38bef6d71eae0c960ebc988f84f33

SHA512
43aa90e75b5430b98162ae43638a6b1d6c478933c0bc0e7d4b6378aab882f03f79640ebb3ef3e631c24cfe888349e70c562422f2c04fc2853b42a19054467b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcSafety\PcSafety.exe

Filesize
1.8MB

MD5
f6ef61165c1333ddd3c946190e7e2481

SHA1
69fd156e42540c2d06a3e6ffe0649aab9909f5c5

SHA256
998680856198efed338e013ee350866f221a3d3e669deb898ce0fc63a02e17f4

SHA512
38b35db6e3388c2462dcd6836c5cdd82d33cf2e5923b5b8b29a3ec2f1304cab20a2379b1809c6503a3060965a08f05b43e6f626aeb32ad2ce22dffb67c22d446

Download Submit
memory/1312-5-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/1312-1-0x0000000000D60000-0x00000000011D2000-memory.dmp

Filesize
4.4MB

Download
memory/1312-4-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/1312-0-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1312-6-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/1312-3-0x0000000005F60000-0x0000000006504000-memory.dmp

Filesize
5.6MB

Download
memory/1312-2-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/1312-21-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1312-19-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/1312-18-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1908-26-0x00000000001B0000-0x0000000000622000-memory.dmp

Filesize
4.4MB

Download
memory/1908-27-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1908-28-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3844-34-0x0000000000B90000-0x0000000000F5E000-memory.dmp

Filesize
3.8MB

Download
memory/3844-38-0x0000000000B90000-0x0000000000F5E000-memory.dmp

Filesize
3.8MB

Download
memory/3844-39-0x0000000000B90000-0x0000000000F5E000-memory.dmp

Filesize
3.8MB

Download
memory/4588-17-0x0000000000810000-0x0000000000BDE000-memory.dmp

Filesize
3.8MB

Download
memory/4588-16-0x0000000000810000-0x0000000000BDE000-memory.dmp

Filesize
3.8MB

Download
memory/4588-12-0x0000000000810000-0x0000000000BDE000-memory.dmp

Filesize
3.8MB

Download
memory/4588-8-0x0000000000810000-0x0000000000BDE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads