bitrat | 317b32811ef46a4dec52e650315c82b5a5f867f49e5844bb11ed4e1f5281e6d9

General

Target

37b87bb801399002ce5109fa582512de.exe
Size

2.5MB
MD5

37b87bb801399002ce5109fa582512de
SHA1

d634ba38c689efef5c72f976b88b61e5bb78989a
SHA256

317b32811ef46a4dec52e650315c82b5a5f867f49e5844bb11ed4e1f5281e6d9
SHA512

fd066e3d8dd991dd78b0efeb09ce0bd4393dc234b82038ee3a22e6b64defa75fec6d54736fb9375a7e26773eb767f90c99b70e4f9a63c379d666a72f129823fd
SSDEEP

49152:kNoHMdmCm6Ud+zPXUk7GqCefc+dA1fh85ETksqhhiKOg8efG9CDNk3:kNosdmCmN+rE/D4PdUcEgnfiKOeDNS

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.35

C2

storage.nsupdate.info:8973

Attributes

communication_password
bf771c9d082071fe80b18bb678220682
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/2612-3-0x00000000003B0000-0x00000000003C2000-memory.dmp	CustAttr

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1792-37-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-46-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-49-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-51-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-47-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-45-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-42-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-55-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-59-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-58-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1792-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2896 schtasks.exe

pid	process
2896	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

37b87bb801399002ce5109fa582512de.exe

description	pid	process	target process
PID 2612 wrote to memory of 1968	2612	37b87bb801399002ce5109fa582512de.exe	powershell.exe
PID 2612 wrote to memory of 1968	2612	37b87bb801399002ce5109fa582512de.exe	powershell.exe
PID 2612 wrote to memory of 1968	2612	37b87bb801399002ce5109fa582512de.exe	powershell.exe
PID 2612 wrote to memory of 1968	2612	37b87bb801399002ce5109fa582512de.exe	powershell.exe
PID 2612 wrote to memory of 1640	2612	37b87bb801399002ce5109fa582512de.exe	powershell.exe
PID 2612 wrote to memory of 1640	2612	37b87bb801399002ce5109fa582512de.exe	powershell.exe
PID 2612 wrote to memory of 1640	2612	37b87bb801399002ce5109fa582512de.exe	powershell.exe
PID 2612 wrote to memory of 1640	2612	37b87bb801399002ce5109fa582512de.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\37b87bb801399002ce5109fa582512de.exe
"C:\Users\Admin\AppData\Local\Temp\37b87bb801399002ce5109fa582512de.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\37b87bb801399002ce5109fa582512de.exe"
2⤵
PID:1968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uSZqfqgTOxUNw.exe"
2⤵
PID:1640

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uSZqfqgTOxUNw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1564.tmp"
2⤵
- Creates scheduled task(s)
PID:2896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uSZqfqgTOxUNw.exe"
2⤵
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1564.tmp
Filesize
1KB

MD5
6eeedb28858c603a67cda6c91c7960d4

SHA1
77232be093134f309c912bf1273e930835414188

SHA256
3c664022c55d946d58b0024e31855dcbc3504673aa09a157894cc67a6e10ec26

SHA512
ccf408e6f84c456ffc4d0440f74e7f84c66fc51df82fe77864448b961b3abe8451ed1a679153c06f245db9c969611152ba78f0d71f2b4df4f47e355d953bc8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
d731ddadd6f6f76f612c09ff9c896789

SHA1
cc45d50bb555fe38d647962ac3a878e4d1cf6287

SHA256
d3553b2a2fc37faf3f836ac13af87916126fa62ddb65b384290b040e868eda1e

SHA512
9061d9f6e7f8b02145efba5aaecaa2aa8ac76c8ec83b1de8fc0d6f25e50191c6f01218f983529ac6b8a635e72d05363eedf5686c395285a6f5c922662fa041cb

Download Submit
memory/1640-53-0x000000006E730000-0x000000006ECDB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-39-0x0000000002910000-0x0000000002950000-memory.dmp

Filesize
256KB

Download
memory/1640-38-0x000000006E730000-0x000000006ECDB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-23-0x0000000002910000-0x0000000002950000-memory.dmp

Filesize
256KB

Download
memory/1640-21-0x000000006E730000-0x000000006ECDB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-49-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-75-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-58-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-74-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-73-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-55-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-31-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-72-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-37-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-46-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-51-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-47-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-45-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-42-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1792-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1792-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1968-52-0x000000006E730000-0x000000006ECDB000-memory.dmp

Filesize
5.7MB

Download
memory/1968-30-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/1968-29-0x000000006E730000-0x000000006ECDB000-memory.dmp

Filesize
5.7MB

Download
memory/1968-28-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/1968-20-0x000000006E730000-0x000000006ECDB000-memory.dmp

Filesize
5.7MB

Download
memory/2612-3-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2612-7-0x0000000006070000-0x00000000061EC000-memory.dmp

Filesize
1.5MB

Download
memory/2612-6-0x0000000005EB0000-0x0000000006076000-memory.dmp

Filesize
1.8MB

Download
memory/2612-5-0x00000000051F0000-0x0000000005230000-memory.dmp

Filesize
256KB

Download
memory/2612-4-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2612-1-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2612-50-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2612-0-0x0000000000C20000-0x0000000000EA0000-memory.dmp

Filesize
2.5MB

Download
memory/2612-2-0x00000000051F0000-0x0000000005230000-memory.dmp

Filesize
256KB

Download
memory/2632-41-0x000000006E730000-0x000000006ECDB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-34-0x000000006E730000-0x000000006ECDB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-32-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download
memory/2632-54-0x000000006E730000-0x000000006ECDB000-memory.dmp

Filesize
5.7MB

Download
memory/2632-36-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download
memory/2632-35-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads