bitrat | c21010f7c87e95f3df9c061e697437f5a165a194f69c88887ed36c6217b71d48

General

Target

2ef00e66804e808f9c5a4d6a1943cc8a.exe
Size

4.2MB
MD5

2ef00e66804e808f9c5a4d6a1943cc8a
SHA1

6c7a46a69ac5d3f32d047a14c8ce03c1a53ec3a5
SHA256

c21010f7c87e95f3df9c061e697437f5a165a194f69c88887ed36c6217b71d48
SHA512

01380f1fafd75cd33e413282019305f525c410a2939525babc4ef0d2b529bd12db7349f066724d9ad473ce41c5c5ecf83d9e7cab560c37fb149ac3e3b77afb5c
SSDEEP

98304:MosKQ+SGjJLHXW5ru4IufoXqXBEQzpPYKXsJuBfkL3O2s:Mos2SGj93wruGfoXqXBR8uBfL

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

snkno.duckdns.org:43413

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/4024-7-0x0000000005170000-0x0000000005182000-memory.dmp	CustAttr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1872 schtasks.exe

pid	process
1872	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\2ef00e66804e808f9c5a4d6a1943cc8a.exe
"C:\Users\Admin\AppData\Local\Temp\2ef00e66804e808f9c5a4d6a1943cc8a.exe"
1⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\2ef00e66804e808f9c5a4d6a1943cc8a.exe
"C:\Users\Admin\AppData\Local\Temp\2ef00e66804e808f9c5a4d6a1943cc8a.exe"
2⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\2ef00e66804e808f9c5a4d6a1943cc8a.exe
"C:\Users\Admin\AppData\Local\Temp\2ef00e66804e808f9c5a4d6a1943cc8a.exe"
2⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\2ef00e66804e808f9c5a4d6a1943cc8a.exe
"C:\Users\Admin\AppData\Local\Temp\2ef00e66804e808f9c5a4d6a1943cc8a.exe"
2⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\2ef00e66804e808f9c5a4d6a1943cc8a.exe
"C:\Users\Admin\AppData\Local\Temp\2ef00e66804e808f9c5a4d6a1943cc8a.exe"
2⤵
PID:2864

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrjKuutveP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpECA2.tmp"
2⤵
- Creates scheduled task(s)
PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4024-21-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4024-2-0x0000000005D20000-0x00000000062C4000-memory.dmp

Filesize
5.6MB

Download
memory/4024-4-0x00000000058B0000-0x000000000594C000-memory.dmp

Filesize
624KB

Download
memory/4024-3-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/4024-0-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4024-5-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

Filesize
64KB

Download
memory/4024-6-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/4024-7-0x0000000005170000-0x0000000005182000-memory.dmp

Filesize
72KB

Download
memory/4024-8-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4024-9-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

Filesize
64KB

Download
memory/4024-10-0x000000000A160000-0x000000000A576000-memory.dmp

Filesize
4.1MB

Download
memory/4024-11-0x000000000A570000-0x000000000A93E000-memory.dmp

Filesize
3.8MB

Download
memory/4024-1-0x0000000000940000-0x0000000000D7E000-memory.dmp

Filesize
4.2MB

Download
memory/4264-29-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-36-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-24-0x00000000745E0000-0x0000000074619000-memory.dmp

Filesize
228KB

Download
memory/4264-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-25-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-30-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-32-0x00000000749E0000-0x0000000074A19000-memory.dmp

Filesize
228KB

Download
memory/4264-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-17-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-33-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-35-0x00000000749E0000-0x0000000074A19000-memory.dmp

Filesize
228KB

Download
memory/4264-34-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-22-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-39-0x00000000749E0000-0x0000000074A19000-memory.dmp

Filesize
228KB

Download
memory/4264-38-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-40-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-42-0x00000000749E0000-0x0000000074A19000-memory.dmp

Filesize
228KB

Download
memory/4264-41-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-45-0x00000000749E0000-0x0000000074A19000-memory.dmp

Filesize
228KB

Download
memory/4264-43-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-47-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-48-0x00000000749E0000-0x0000000074A19000-memory.dmp

Filesize
228KB

Download
memory/4264-46-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-50-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-49-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-53-0x00000000749E0000-0x0000000074A19000-memory.dmp

Filesize
228KB

Download
memory/4264-52-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4264-51-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads