bitrat | af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965

General

Target

284445efc60c1a68e8199c7dc675ff82.exe
Size

2.5MB
MD5

284445efc60c1a68e8199c7dc675ff82
SHA1

60655a314c86993deefa9d9f7eec64341168e9e1
SHA256

af7800b9d14d41db33e7aeb100aac52bcae40bd7dfa2f151ffb4e76e810ea965
SHA512

c30e62a1f3121d6d1d10d292389e6ac476f1e5f4a88a8bafc0a06069ddc12b0081ba15e10989e74b87540e24805b776967db912663dc59110d671b88ca521d13
SSDEEP

49152:m8459zztzzKoPfxsNIcv+xltSiK0rXw5hn360bURtRY26YS+WhfFzMwDPwRVuf2s:mD9zztzzKoxs6cmxfSMkd3GDGvWsfPX

Score

10^/10

bitrat evasion trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

dopeonlineforwarding.xyz:6620

Attributes

communication_password
d74a214501c1c40b2c77e995082f3587
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/4020-24-0x00000000027E0000-0x00000000027F2000-memory.dmp	CustAttr

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

adodbe.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions adodbe.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

adodbe.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools adodbe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	adodbe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	adodbe.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

adodbe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adodbe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	adodbe.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

284445efc60c1a68e8199c7dc675ff82.exeadodbe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	284445efc60c1a68e8199c7dc675ff82.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	adodbe.exe

Executes dropped EXE 3 IoCs

Processes:

adodbe.exeadodbe.exeadodbe.exe

pid process

4020 adodbe.exe
3928 adodbe.exe
4776 adodbe.exe

pid	process
4020	adodbe.exe
3928	adodbe.exe
4776	adodbe.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4776-36-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-38-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-40-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-42-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-41-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-48-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-49-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-51-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-52-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-50-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-47-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-46-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-55-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-54-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-75-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-81-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/4776-84-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

adodbe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	adodbe.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	adodbe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

adodbe.exe

pid process

4776 adodbe.exe
4776 adodbe.exe
4776 adodbe.exe
4776 adodbe.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

adodbe.exe

description pid process target process

PID 4020 set thread context of 4776 4020 adodbe.exe adodbe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4620 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

adodbe.exe

pid process

4020 adodbe.exe
4020 adodbe.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

adodbe.exeadodbe.exe

description pid process

Token: SeDebugPrivilege 4020 adodbe.exe
Token: SeShutdownPrivilege 4776 adodbe.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

adodbe.exe

pid process

4776 adodbe.exe
4776 adodbe.exe

pid	process
4776	adodbe.exe
4776	adodbe.exe
4776	adodbe.exe
4776	adodbe.exe

description	pid	process	target process
PID 4020 set thread context of 4776	4020	adodbe.exe	adodbe.exe

pid	process
4620	schtasks.exe

pid	process
4020	adodbe.exe
4020	adodbe.exe

description	pid	process
Token: SeDebugPrivilege	4020	adodbe.exe
Token: SeShutdownPrivilege	4776	adodbe.exe

pid	process
4776	adodbe.exe
4776	adodbe.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

284445efc60c1a68e8199c7dc675ff82.exeadodbe.exe

description	pid	process	target process
PID 3412 wrote to memory of 4020	3412	284445efc60c1a68e8199c7dc675ff82.exe	adodbe.exe
PID 3412 wrote to memory of 4020	3412	284445efc60c1a68e8199c7dc675ff82.exe	adodbe.exe
PID 3412 wrote to memory of 4020	3412	284445efc60c1a68e8199c7dc675ff82.exe	adodbe.exe
PID 4020 wrote to memory of 4620	4020	adodbe.exe	schtasks.exe
PID 4020 wrote to memory of 4620	4020	adodbe.exe	schtasks.exe
PID 4020 wrote to memory of 4620	4020	adodbe.exe	schtasks.exe
PID 4020 wrote to memory of 3928	4020	adodbe.exe	adodbe.exe
PID 4020 wrote to memory of 3928	4020	adodbe.exe	adodbe.exe
PID 4020 wrote to memory of 3928	4020	adodbe.exe	adodbe.exe
PID 4020 wrote to memory of 4776	4020	adodbe.exe	adodbe.exe
PID 4020 wrote to memory of 4776	4020	adodbe.exe	adodbe.exe
PID 4020 wrote to memory of 4776	4020	adodbe.exe	adodbe.exe
PID 4020 wrote to memory of 4776	4020	adodbe.exe	adodbe.exe
PID 4020 wrote to memory of 4776	4020	adodbe.exe	adodbe.exe
PID 4020 wrote to memory of 4776	4020	adodbe.exe	adodbe.exe
PID 4020 wrote to memory of 4776	4020	adodbe.exe	adodbe.exe

C:\Users\Admin\AppData\Local\Temp\284445efc60c1a68e8199c7dc675ff82.exe
"C:\Users\Admin\AppData\Local\Temp\284445efc60c1a68e8199c7dc675ff82.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3412

C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NWKQwZWIgp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2AF3.tmp"
3⤵
- Creates scheduled task(s)
PID:4620

C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe"
3⤵
- Executes dropped EXE
PID:3928

C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
Filesize
225KB

MD5
b9c43675214feb8eee3905b1d67e3a12

SHA1
758c80bb103328669f35312412f5fc356ad8ee0a

SHA256
bff6af2eb48e5cbef4de28e1ef9cdc7ba1d064f0853f18b3efc65451b95fef2e

SHA512
242cb81ead030cc2b9f4eeaaeff5bae1fe334057beeb508490b7638e836781687cc99d5e5b4003d99c2193a67864b346a010c2bb0adf1b347262de1b58d7024e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
Filesize
86KB

MD5
7c0139bf6a8e0131752f38782182c23a

SHA1
9625a6b49eb53d5715b36a042d915b313804278d

SHA256
59b518a6dc80807a946ea03060564e2a65a1bcb6f9bea330f2ab6193b778ffa4

SHA512
a97a5eac2ac63997a3d8a96c9cb32933715cd66d97a976d37b58303dde910c5bb15370edd6f1bc9b04059d29f4a6b62d18dbf4688734649585729bae4a2e99d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
Filesize
250KB

MD5
e710ceb1263b6a56c696f9479ded7f19

SHA1
77abad6024de365ec81dd51f00e52f76f7060c65

SHA256
48a502f1114e099bbca29a4e66f7f7cc763c76229ca4235756ed5bc916c14c4c

SHA512
396055953adccfdbcf0340942a53bcc490e8a3ade991e73928e964b663fc0d72cd4c80e1f7cbab39d7996b10e1088732ccf8ab09b7782e1e5af22948c83dcb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\adodbe.exe
Filesize
322KB

MD5
16a68ea7e49b670650501b509671a2ad

SHA1
787221290dd5159d0800cdd68ce8c6a89172dc1e

SHA256
80a4708485e5ef7a9846ed962a6bbfbfcf363e6ae367f67a39ead6a57cd879fe

SHA512
c7d9980b379cc3faa4e77833cb23fe0707ddefe3f4470796c2716f06e5aa48dfebf7fd51dc841432c5c9f7a96a4b62ec2dabe6f0d93c340d288e2b5377946058

Download Submit
memory/4020-17-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/4020-16-0x00000000002A0000-0x0000000000566000-memory.dmp

Filesize
2.8MB

Download
memory/4020-18-0x00000000073F0000-0x000000000748C000-memory.dmp

Filesize
624KB

Download
memory/4020-19-0x0000000007A40000-0x0000000007FE4000-memory.dmp

Filesize
5.6MB

Download
memory/4020-20-0x0000000007530000-0x00000000075C2000-memory.dmp

Filesize
584KB

Download
memory/4020-21-0x0000000007500000-0x0000000007510000-memory.dmp

Filesize
64KB

Download
memory/4020-22-0x00000000074D0000-0x00000000074DA000-memory.dmp

Filesize
40KB

Download
memory/4020-23-0x0000000007740000-0x0000000007796000-memory.dmp

Filesize
344KB

Download
memory/4020-24-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/4020-25-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/4020-26-0x0000000007500000-0x0000000007510000-memory.dmp

Filesize
64KB

Download
memory/4020-27-0x00000000057D0000-0x0000000005990000-memory.dmp

Filesize
1.8MB

Download
memory/4020-28-0x00000000059B0000-0x0000000005B28000-memory.dmp

Filesize
1.5MB

Download
memory/4020-29-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/4020-43-0x0000000073150000-0x0000000073900000-memory.dmp

Filesize
7.7MB

Download
memory/4776-36-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-38-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-40-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-42-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-41-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-44-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-45-0x0000000073750000-0x0000000073789000-memory.dmp

Filesize
228KB

Download
memory/4776-48-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-49-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-51-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-52-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-53-0x00000000736C0000-0x00000000736F9000-memory.dmp

Filesize
228KB

Download
memory/4776-50-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-47-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-46-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-55-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-56-0x0000000073410000-0x0000000073449000-memory.dmp

Filesize
228KB

Download
memory/4776-54-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-57-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-70-0x00000000756A0000-0x00000000756D9000-memory.dmp

Filesize
228KB

Download
memory/4776-58-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-72-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-73-0x00000000756A0000-0x00000000756D9000-memory.dmp

Filesize
228KB

Download
memory/4776-74-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-75-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-76-0x00000000756A0000-0x00000000756D9000-memory.dmp

Filesize
228KB

Download
memory/4776-78-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-79-0x00000000756A0000-0x00000000756D9000-memory.dmp

Filesize
228KB

Download
memory/4776-77-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-80-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-81-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-82-0x00000000756A0000-0x00000000756D9000-memory.dmp

Filesize
228KB

Download
memory/4776-83-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-84-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4776-85-0x00000000756A0000-0x00000000756D9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads