bitrat | 87fbd9577039b209cd0ce825d1c79aad0def611625b737fa3abe70802da4d6f4

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04436c72506d84210a597c57880dbe3e.exe
Size

1.4MB
MD5

04436c72506d84210a597c57880dbe3e
SHA1

d77bf018b1fa76215f2ca680e4cf25ad034eb271
SHA256

87fbd9577039b209cd0ce825d1c79aad0def611625b737fa3abe70802da4d6f4
SHA512

4dcfcc70d77c0fcf0fc74622f37cd176f0130bf8158330a6588d6c4c5bfcafc082dd003d514a10bbb01b12af575a3558d6255e65fd6ca90204e886d3f6a92064
SSDEEP

24576:wndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkzommfL1fyWsiw:yXDFBU2iIBb0xY/6sUYY+wpI

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

80.209.229.141:4898

Attributes

communication_password
202cb962ac59075b964b07152d234b70
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4920-0-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4920-3-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4920-6-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4920-11-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4920-15-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4920-20-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4920	04436c72506d84210a597c57880dbe3e.exe
4920	04436c72506d84210a597c57880dbe3e.exe
4920	04436c72506d84210a597c57880dbe3e.exe
4920	04436c72506d84210a597c57880dbe3e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4920	04436c72506d84210a597c57880dbe3e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4920	04436c72506d84210a597c57880dbe3e.exe
4920	04436c72506d84210a597c57880dbe3e.exe

C:\Users\Admin\AppData\Local\Temp\04436c72506d84210a597c57880dbe3e.exe
"C:\Users\Admin\AppData\Local\Temp\04436c72506d84210a597c57880dbe3e.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4920-0-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4920-1-0x0000000074C20000-0x0000000074C59000-memory.dmp

Filesize
228KB

Download
memory/4920-2-0x0000000074FC0000-0x0000000074FF9000-memory.dmp

Filesize
228KB

Download
memory/4920-3-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4920-5-0x0000000074FC0000-0x0000000074FF9000-memory.dmp

Filesize
228KB

Download
memory/4920-6-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4920-10-0x0000000074FC0000-0x0000000074FF9000-memory.dmp

Filesize
228KB

Download
memory/4920-11-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4920-14-0x0000000074FC0000-0x0000000074FF9000-memory.dmp

Filesize
228KB

Download
memory/4920-15-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4920-19-0x0000000074FC0000-0x0000000074FF9000-memory.dmp

Filesize
228KB

Download
memory/4920-20-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download