bitrat | 2a2b320e2b0c6eb5cee277f322938feb883dc9af94c3db75afb9905cbf1c473d

General

Target

68da50b47b7350bb7b4a36a4e11fcff4.exe
Size

4.4MB
MD5

68da50b47b7350bb7b4a36a4e11fcff4
SHA1

2e9ce8293812f916a1b457bfd8d0ef4cb82ca24e
SHA256

2a2b320e2b0c6eb5cee277f322938feb883dc9af94c3db75afb9905cbf1c473d
SHA512

9b63ea8764b82776a408075290ceefb3666e3c69bddb9a487f43327e2b22cccc3b7d75bcffbd53f3c3967f4197ad0d1b233f3ed5db6125bd8b440cd0eabc30c8
SSDEEP

98304:vcZtS2zFA6p8m4aB7Dcy5Yf0OCnLvx803lL0OHOfH5RQKQIiYfbHgdJUDD:eS2zFAdK0FcnvW03yOHOfH5RQKQIiYf/

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

8.208.27.150:4550

Attributes

communication_password
9996535e07258a7bbfd8b132435c5962
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

68da50b47b7350bb7b4a36a4e11fcff4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	68da50b47b7350bb7b4a36a4e11fcff4.exe

Executes dropped EXE 1 IoCs

Processes:

PcSafety.exe

pid process

1908 PcSafety.exe

pid	process
1908	PcSafety.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

68da50b47b7350bb7b4a36a4e11fcff4.exePcSafety.exe

description	pid	process	target process
PID 1312 set thread context of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	RegAsm.exe
PID 1908 set thread context of 3844	1908	PcSafety.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3576 4588 WerFault.exe RegAsm.exe
1592 3844 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3624 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

68da50b47b7350bb7b4a36a4e11fcff4.exePcSafety.exe

description pid process

Token: SeDebugPrivilege 1312 68da50b47b7350bb7b4a36a4e11fcff4.exe
Token: SeDebugPrivilege 1908 PcSafety.exe

pid	pid_target	process	target process
3576	4588	WerFault.exe	RegAsm.exe
1592	3844	WerFault.exe	RegAsm.exe

pid	process
3624	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe
Token: SeDebugPrivilege	1908	PcSafety.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

68da50b47b7350bb7b4a36a4e11fcff4.execmd.exePcSafety.exe

description	pid	process	target process
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	RegAsm.exe
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	RegAsm.exe
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	RegAsm.exe
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	RegAsm.exe
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	RegAsm.exe
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	RegAsm.exe
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	RegAsm.exe
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	RegAsm.exe
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	RegAsm.exe
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	RegAsm.exe
PID 1312 wrote to memory of 4588	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	RegAsm.exe
PID 1312 wrote to memory of 4940	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	cmd.exe
PID 1312 wrote to memory of 4940	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	cmd.exe
PID 1312 wrote to memory of 4940	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	cmd.exe
PID 1312 wrote to memory of 2240	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	cmd.exe
PID 1312 wrote to memory of 2240	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	cmd.exe
PID 1312 wrote to memory of 2240	1312	68da50b47b7350bb7b4a36a4e11fcff4.exe	cmd.exe
PID 4940 wrote to memory of 3624	4940	cmd.exe	schtasks.exe
PID 4940 wrote to memory of 3624	4940	cmd.exe	schtasks.exe
PID 4940 wrote to memory of 3624	4940	cmd.exe	schtasks.exe
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	RegAsm.exe
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	RegAsm.exe
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	RegAsm.exe
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	RegAsm.exe
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	RegAsm.exe
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	RegAsm.exe
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	RegAsm.exe
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	RegAsm.exe
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	RegAsm.exe
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	RegAsm.exe
PID 1908 wrote to memory of 3844	1908	PcSafety.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\68da50b47b7350bb7b4a36a4e11fcff4.exe
"C:\Users\Admin\AppData\Local\Temp\68da50b47b7350bb7b4a36a4e11fcff4.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 540
3⤵
- Program crash
PID:3576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\PcSafety\PcSafety.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\PcSafety\PcSafety.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\68da50b47b7350bb7b4a36a4e11fcff4.exe" "C:\Users\Admin\AppData\Local\Temp\PcSafety\PcSafety.exe"
2⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4588 -ip 4588
1⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\PcSafety\PcSafety.exe
C:\Users\Admin\AppData\Local\Temp\PcSafety\PcSafety.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 200
3⤵
- Program crash
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3844 -ip 3844
1⤵
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PcSafety\PcSafety.exe
Filesize
1.7MB

MD5
55427007b8a27223d51e520fa2e97550

SHA1
edd880812f0a1cea2b95318a01f9e228161f6926

SHA256
aa29d6c32b1e78a47220e36d81f7f9de8cb38bef6d71eae0c960ebc988f84f33

SHA512
43aa90e75b5430b98162ae43638a6b1d6c478933c0bc0e7d4b6378aab882f03f79640ebb3ef3e631c24cfe888349e70c562422f2c04fc2853b42a19054467b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PcSafety\PcSafety.exe
Filesize
1.8MB

MD5
f6ef61165c1333ddd3c946190e7e2481

SHA1
69fd156e42540c2d06a3e6ffe0649aab9909f5c5

SHA256
998680856198efed338e013ee350866f221a3d3e669deb898ce0fc63a02e17f4

SHA512
38b35db6e3388c2462dcd6836c5cdd82d33cf2e5923b5b8b29a3ec2f1304cab20a2379b1809c6503a3060965a08f05b43e6f626aeb32ad2ce22dffb67c22d446

Download Submit
memory/1312-5-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/1312-1-0x0000000000D60000-0x00000000011D2000-memory.dmp

Filesize
4.4MB

Download
memory/1312-4-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/1312-0-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1312-6-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/1312-3-0x0000000005F60000-0x0000000006504000-memory.dmp

Filesize
5.6MB

Download
memory/1312-2-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/1312-21-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1312-19-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/1312-18-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1908-26-0x00000000001B0000-0x0000000000622000-memory.dmp

Filesize
4.4MB

Download
memory/1908-27-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1908-28-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3844-34-0x0000000000B90000-0x0000000000F5E000-memory.dmp

Filesize
3.8MB

Download
memory/3844-38-0x0000000000B90000-0x0000000000F5E000-memory.dmp

Filesize
3.8MB

Download
memory/3844-39-0x0000000000B90000-0x0000000000F5E000-memory.dmp

Filesize
3.8MB

Download
memory/4588-17-0x0000000000810000-0x0000000000BDE000-memory.dmp

Filesize
3.8MB

Download
memory/4588-16-0x0000000000810000-0x0000000000BDE000-memory.dmp

Filesize
3.8MB

Download
memory/4588-12-0x0000000000810000-0x0000000000BDE000-memory.dmp

Filesize
3.8MB

Download
memory/4588-8-0x0000000000810000-0x0000000000BDE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads