bitrat | af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965

Analysis

max time kernel
147s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

284445efc60c1a68e8199c7dc675ff82.exe
Size

2.5MB
MD5

284445efc60c1a68e8199c7dc675ff82
SHA1

60655a314c86993deefa9d9f7eec64341168e9e1
SHA256

af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965
SHA512

c30e62a1f3121d6d1d10d292389e6ac476f1e5f4a88a8bafc0a06069ddc12b0081ba15e10989e74b87540e24805b776967db912663dc59110d671b88ca521d13
SSDEEP

49152:m8459zztzzKoPfxsNIcv+xltSiK0rXw5hn360bURtRY26YS+WhfFzMwDPwRVuf2s:mD9zztzzKoxs6cmxfSMkd3GDGvWsfPX

Score

10^/10

bitrat evasion trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

dopeonlineforwarding.xyz:6620

Attributes

communication_password
d74a214501c1c40b2c77e995082f3587
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/2872-23-0x00000000002C0000-0x00000000002D2000-memory.dmp	CustAttr

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

adodbe.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions adodbe.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

adodbe.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools adodbe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	adodbe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	adodbe.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

adodbe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adodbe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	adodbe.exe

Executes dropped EXE 2 IoCs

Processes:

adodbe.exeadodbe.exe

pid process

2872 adodbe.exe
1188 adodbe.exe

pid	process
2872	adodbe.exe
1188	adodbe.exe

Loads dropped DLL 5 IoCs

Processes:

284445efc60c1a68e8199c7dc675ff82.exeadodbe.exe

pid	process
2160	284445efc60c1a68e8199c7dc675ff82.exe
2160	284445efc60c1a68e8199c7dc675ff82.exe
2160	284445efc60c1a68e8199c7dc675ff82.exe
2160	284445efc60c1a68e8199c7dc675ff82.exe
2872	adodbe.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1188-34-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-36-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-41-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-42-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-43-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-44-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-39-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-46-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-47-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-48-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-49-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-50-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-53-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-54-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-55-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-59-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1188-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

adodbe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	adodbe.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	adodbe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

adodbe.exe

pid process

1188 adodbe.exe
1188 adodbe.exe
1188 adodbe.exe
1188 adodbe.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

adodbe.exe

description pid process target process

PID 2872 set thread context of 1188 2872 adodbe.exe adodbe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1140 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

adodbe.exe

description pid process

Token: SeDebugPrivilege 1188 adodbe.exe
Token: SeShutdownPrivilege 1188 adodbe.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1760 DllHost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

adodbe.exe

pid process

1188 adodbe.exe
1188 adodbe.exe

pid	process
1188	adodbe.exe
1188	adodbe.exe
1188	adodbe.exe
1188	adodbe.exe

description	pid	process	target process
PID 2872 set thread context of 1188	2872	adodbe.exe	adodbe.exe

pid	process
1140	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1188	adodbe.exe
Token: SeShutdownPrivilege	1188	adodbe.exe

pid	process
1760	DllHost.exe

pid	process
1188	adodbe.exe
1188	adodbe.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

284445efc60c1a68e8199c7dc675ff82.exeadodbe.exe

description	pid	process	target process
PID 2160 wrote to memory of 2872	2160	284445efc60c1a68e8199c7dc675ff82.exe	adodbe.exe
PID 2160 wrote to memory of 2872	2160	284445efc60c1a68e8199c7dc675ff82.exe	adodbe.exe
PID 2160 wrote to memory of 2872	2160	284445efc60c1a68e8199c7dc675ff82.exe	adodbe.exe
PID 2160 wrote to memory of 2872	2160	284445efc60c1a68e8199c7dc675ff82.exe	adodbe.exe
PID 2872 wrote to memory of 1140	2872	adodbe.exe	schtasks.exe
PID 2872 wrote to memory of 1140	2872	adodbe.exe	schtasks.exe
PID 2872 wrote to memory of 1140	2872	adodbe.exe	schtasks.exe
PID 2872 wrote to memory of 1140	2872	adodbe.exe	schtasks.exe
PID 2872 wrote to memory of 1188	2872	adodbe.exe	adodbe.exe
PID 2872 wrote to memory of 1188	2872	adodbe.exe	adodbe.exe
PID 2872 wrote to memory of 1188	2872	adodbe.exe	adodbe.exe
PID 2872 wrote to memory of 1188	2872	adodbe.exe	adodbe.exe
PID 2872 wrote to memory of 1188	2872	adodbe.exe	adodbe.exe
PID 2872 wrote to memory of 1188	2872	adodbe.exe	adodbe.exe
PID 2872 wrote to memory of 1188	2872	adodbe.exe	adodbe.exe
PID 2872 wrote to memory of 1188	2872	adodbe.exe	adodbe.exe

C:\Users\Admin\AppData\Local\Temp\284445efc60c1a68e8199c7dc675ff82.exe
"C:\Users\Admin\AppData\Local\Temp\284445efc60c1a68e8199c7dc675ff82.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NWKQwZWIgp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp60C6.tmp"
3⤵
- Creates scheduled task(s)
PID:1140

C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1188

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
Filesize
3KB

MD5
af3d4381fa6eaeffe2c54f78b003f57f

SHA1
f308f5b4961e1cba6db7beb1134d71572511f1c4

SHA256
cfdd28f49defe1c453c293a358c49e31b4ffabaa0b5bc9577f5f4017e24a2366

SHA512
7f52dcc1860b2d908b05ef31579f0b7cb4b9c4cbe1093141f08f06a82d6a3c371a99823d6c4c67362059f8eb6f5f3346f4a971536df7aa4a0c0fc20517b40042

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
Filesize
136KB

MD5
2a9b07139d784cd54448d5eb84a7d06a

SHA1
d8435f8bf3f567257575320b13a3445fefc8d671

SHA256
41ceb02889a99c8ac40f1105fbf8228d486a1f7d11360843e35e8d817cf0409a

SHA512
721d7a257e9202b81d6157fda996cdc8cfe7d15c032b5aa63b8d90e21eb4d5f1a3a36cdd602b4031808006f5c3e8a88ecf53be79ab61bcb3f7bbc1954790ef4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
Filesize
413KB

MD5
d181ff5aec9a044393a68195b546af4b

SHA1
85475281b629ee54a50088e31d8af7eba5ce04fd

SHA256
c55cf78c264c90f66b91f2912464ac37a47c9eec5c353fccaf930a49efc083f9

SHA512
af294ca7b2c3f12d3134402ed047e03e218d551198b4f9375c22889d2871461a2391e68059292459dccddc078fea48ce2d0b4d88a314dea9436d0191574a60c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pic22.jpg
Filesize
8KB

MD5
1722fcaba27b2d9914bb4a41c2ac0ed3

SHA1
afc7bc349390e4ae1cdf874b7746b3f5913fcb3e

SHA256
130b45d775805140a6efcb9564e46e3e31646975552dad46e25cee570e81178a

SHA512
2cd1f285336ae8904991474a61e8d8ecdfa04bd2288a0e4c59e03943826c1172b4e7a0c5b76dc7514b3d5e9e20a13b845e16949a83b9b4e79b90f28573419baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp60C6.tmp
Filesize
1KB

MD5
e44e6f62d139ccfbff110c20cd93b5d8

SHA1
20228a78018b72b79cdb4b5732c4785e4ac19113

SHA256
837b1d657d5cbd75f745058bc31fa7c29b54dbc0ad94114f43d8231147e7822c

SHA512
8b6b834a214054dee682d73fcff367fd7912896f8684d8ca6c64f38a7b2c829a99c06704215b9206b058eb4a3f10a2f4749ff4d0597da3975465ed4fdfec8562

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
Filesize
95KB

MD5
d55dfc28936c01fd24828e020fb09638

SHA1
5a6a5ed62b5e08a1d912d4e6ada56c507b66e8a6

SHA256
1fe09264314a583b9729f33d99d003b2e0260d73b6ef6df695113004ae54c3c5

SHA512
0278d0e8304ec26f44b19f560c9a7078471c59ded923aee7c258d6dc59e3e5710d13b97a51cdcacfd061deb04592db3beada42a1303000592c4eabcbf1da388a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
Filesize
93KB

MD5
08c20921e26030493a7e463aeb31ad96

SHA1
550449345925b4b6e788d600d0227c3cef0e230f

SHA256
ad00cefc8ae0017aeed7df7007496d459a310956c949488a53919d9115a25816

SHA512
43515493827a4177f270440b7ea0f0bb83d8975338ecae12f0dc0d2e94165254717aceb00de89b6dbb1d86bba62a8bbfce948bb1756522e8991c3fc23cb6c4e5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
Filesize
12KB

MD5
f6d64ba8683b71b45260489d9bdee8dc

SHA1
6ca1960f7bb4a6a5579de23695698239e59827ba

SHA256
36bad39554357cbf0ba4eca86d861812347f811849d50cd9ca140a3337342530

SHA512
20ec3c039d3e35a65360633e443aea7254943910cb45ef3e53e81786a1090a49d6e0b4b84e50ae06709e949e2697f13bb0a947edae5faa256b475028a7bd28a5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
Filesize
2.4MB

MD5
8e4021bbc655ee57cce94f9cbc6eca7b

SHA1
6aa0e7558bc6fba388e00c2491c4b461875f0a72

SHA256
d0ce52c1fd46e38e5e269fdc019d4c3c0900a88a7a4fed4c126c70c4a72798db

SHA512
34b139d00ec4aa4456b4c7ae96c5e5f021fcd47a3a677e6d65d94b3c7cfb5605447ea99a4285862b7db864b35098da884415a18b431999f3a101bc76ea3dd017

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
Filesize
1.0MB

MD5
687bce5c77630038a660ecb8bc85e4f2

SHA1
ffec56bd15011eef584af3334772466c829ea480

SHA256
9b68478ed1647e0bde439eff9da36fa4a7bd2837cd0392179f00db441b059deb

SHA512
aa573b094723900e93215b595f2f378d528c89db700d7cdf5fc5ccd62ebe688fc9d1e6a716591fa40901a196452c55cf7489a9364571a7b0b6ea59529b2924bb

Download Submit
memory/1188-53-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-47-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-33-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-34-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-36-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1188-41-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-42-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-43-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-44-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-39-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-46-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-48-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-49-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-50-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-55-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1188-54-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1760-52-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1760-57-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1760-63-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2160-51-0x00000000024A0000-0x00000000024A2000-memory.dmp

Filesize
8KB

Download
memory/2872-21-0x00000000013D0000-0x0000000001696000-memory.dmp

Filesize
2.8MB

Download
memory/2872-20-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-25-0x0000000005930000-0x0000000005AF0000-memory.dmp

Filesize
1.8MB

Download
memory/2872-45-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-22-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download
memory/2872-23-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2872-24-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-26-0x0000000005AF0000-0x0000000005C68000-memory.dmp

Filesize
1.5MB

Download