bitrat | 437ad80eaa637caba6237c5ecb0b4d328bb8131a45905088b2441bdfa021b598

Analysis

max time kernel
54s
max time network
76s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69211520423fa18fde09eee360343412.exe
Size

6.5MB
MD5

69211520423fa18fde09eee360343412
SHA1

dba822c016a18500e40723c7e96fa0894f025d06
SHA256

437ad80eaa637caba6237c5ecb0b4d328bb8131a45905088b2441bdfa021b598
SHA512

3378bc9725b187e9ed5be3f775c88153cfe49f053a1b1d5d0cee3d056289a4afd7ee1bbef86d8be8b7e497a244f143a29a983f8cf701f8e46338b9f23569ba97
SSDEEP

98304:Ld5VJppwXSyo8skn3moI25UzSOVRBKrCqflZ+VJscvKgFl8jD:LBpOwu2t26uqRsnf2VXvD6j

Score

10^/10

bitrat trojan upx

Malware Config

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll	acprotect
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll	acprotect
C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll	acprotect
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll	acprotect
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll	acprotect
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll	acprotect

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5104-102-0x0000000073F80000-0x0000000074048000-memory.dmp	upx
behavioral2/memory/5104-104-0x0000000073F00000-0x0000000073F24000-memory.dmp	upx
behavioral2/memory/5104-107-0x0000000073A90000-0x0000000073D5F000-memory.dmp	upx
behavioral2/memory/5104-113-0x0000000073D60000-0x0000000073DE8000-memory.dmp	upx
behavioral2/memory/5104-112-0x0000000074050000-0x000000007411E000-memory.dmp	upx
behavioral2/memory/5104-105-0x0000000073DF0000-0x0000000073EFA000-memory.dmp	upx
behavioral2/memory/5104-103-0x0000000073F30000-0x0000000073F79000-memory.dmp	upx
behavioral2/memory/5104-94-0x0000000000310000-0x0000000000714000-memory.dmp	upx
behavioral2/memory/5104-128-0x0000000073A90000-0x0000000073D5F000-memory.dmp	upx
behavioral2/memory/5104-123-0x0000000073F80000-0x0000000074048000-memory.dmp	upx
behavioral2/memory/5104-121-0x0000000000310000-0x0000000000714000-memory.dmp	upx
behavioral2/memory/5104-132-0x0000000000310000-0x0000000000714000-memory.dmp	upx
behavioral2/memory/5104-133-0x0000000000310000-0x0000000000714000-memory.dmp	upx
behavioral2/memory/5104-147-0x0000000000310000-0x0000000000714000-memory.dmp	upx
behavioral2/memory/5104-181-0x0000000000310000-0x0000000000714000-memory.dmp	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll	upx
behavioral2/memory/2208-200-0x0000000073F80000-0x0000000074048000-memory.dmp	upx
behavioral2/memory/2208-205-0x0000000073DF0000-0x0000000073EFA000-memory.dmp	upx
behavioral2/memory/2208-207-0x0000000073D60000-0x0000000073DE8000-memory.dmp	upx
behavioral2/memory/2208-203-0x0000000073F00000-0x0000000073F24000-memory.dmp	upx
behavioral2/memory/2208-202-0x0000000073F30000-0x0000000073F79000-memory.dmp	upx
behavioral2/memory/2208-201-0x0000000074050000-0x000000007411E000-memory.dmp	upx
behavioral2/memory/2208-199-0x0000000073A90000-0x0000000073D5F000-memory.dmp	upx
behavioral2/memory/2208-198-0x0000000000310000-0x0000000000714000-memory.dmp	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll	upx
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

69211520423fa18fde09eee360343412.exe

description pid process

Token: SeDebugPrivilege 3356 69211520423fa18fde09eee360343412.exe

description	pid	process
Token: SeDebugPrivilege	3356	69211520423fa18fde09eee360343412.exe

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
"C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ukvcpgfl.vbs"
2⤵
PID:4212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\google\chrome.exe'
3⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
2⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
2⤵
PID:3256

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
3⤵
PID:5104

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc
3⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
2⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
2⤵
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Ukvcpgfl.vbs
Filesize
188B

MD5
92ed2795e0152284c6cc6486516b9cf6

SHA1
d1e81202222be31f6c3197259b8ad83107598743

SHA256
65167ec718a46e872471bac93f57104853afe7de650d8c0286750c140995c673

SHA512
43e537d0d69912ffb7a48abb3b60513db7b8a29279111660a09150aeac1237e8895c2362fbabdec4abccef74391e197bb29e303c7d23b13235f85acd38f92a67

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdesc-consensus.tmp
Filesize
17KB

MD5
b0eb45bcc1d4cc07a0e85d800632027d

SHA1
d074c572b684db4b41aef583a315d11ebd2ea17f

SHA256
c846036167d97912826a83a0976fd66ca4b034eb70316f77f30b4682295eaf1f

SHA512
01e75f00b205a06ee9cd817da0d9732e1b1045e7a6319f7976ad5a4accef09afe04d1094fcfa992103374fbf2400abda7ad7f103090f77907fd18c1252cfd550

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll
Filesize
92KB

MD5
0e959da0ee1d91809cff6a912bea97c0

SHA1
d055e9390d1dfcda415b3dee872d2e9e24728e48

SHA256
d355fdfd092ce8cf54554630c912564f2116db71a44bc3c7533dc112bea75f38

SHA512
e4ce340c1a5fb24396b0d761b6adfc31dbd0d3b6eb62cf3060ed2a327a57ae15bf0de7761a4a7b62c4b699468c8fba1041f06775412afe0a0dec67da27ecd016

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll
Filesize
112KB

MD5
2b4a7a063c3298d996a8f16a95e79df7

SHA1
ac9a90076d4d6efc74d5e31ffc795f5561bc3fb8

SHA256
d6338b98149d2608f5dba45dcc5d234a747a7d9d215b8adf7fc41dc01bc5bc96

SHA512
777da2f95ff42fd6a37528e181a0c9e9ebad0476fd27f91e88438b1021aaff71c844a358d3438af4f5af1b52f44f37786385aff0d84d9560ef22ea73ef030802

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll
Filesize
38KB

MD5
28d6e1d45404868e7c2ae8d821da1b32

SHA1
a14ce100692d469eca261c37e30999a64cb29a0f

SHA256
fad9491c560f70b324f3af59dc6b4c643d925fe921498ec24be17781e451ba61

SHA512
b19288484bdbacd09d4e274992538d6f93f1aad4241611db75c4f3bf0ff27d39b1c1cdd758d8a83cefb809d3f1da21db407f4b28ffd715e306943bc04d7b2143

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll
Filesize
91KB

MD5
ef5b7b6232ee4df2682cd09774d493fc

SHA1
5631b124ab37c36e88825daa95ab500b2011693f

SHA256
90fc022cdcb27b981ab7a226cc23e951ca5a0cf35c643b03b0edddb2b9d2f69a

SHA512
5fb8854a0d3b0758b844d8a3f340cb5c4f51bd03b236d06dce30cdb0b2248eb0629f8bb021f9f57b0e9e1c708411adf2b6f56cfc2daf8d8fcb2e89e57ec35210

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll
Filesize
44KB

MD5
376450eaef23cfea317aab29b82d7b64

SHA1
c18141dcd4c235920f35df0caf7bd34a45d197e6

SHA256
5c5df77f6b7b025050407155dda6fe4cfc0ff738b16816092e79be67b5f8074f

SHA512
53aa80de0d369b60df65ce729a70fc3d2d5446cfbdf4aaeefd1b1b9a5d06ce2cdb876bf5c9a95687d5376787889e29f61fd4d28f11e59a27596e9e30a53f659b

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll
Filesize
92KB

MD5
48253da36ff619aa79072cc6188082df

SHA1
66d85b35fe301b4b688f35bc5808f54a40f653c2

SHA256
24d9b0dcf7daca724da11ab16db6be2131deff78b3e536c5078ce80c73acfe5b

SHA512
50af9724de9abc5d8ba14fc8afe9ada804e05acbbff3575b83071ae93396dcededd99b295376b482b841bc236ce6caa2ec22680d9ef0e8a5eada6ed3ec56d7d0

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\torrc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll
Filesize
52KB

MD5
add33041af894b67fe34e1dc819b7eb6

SHA1
6db46eb021855a587c95479422adcc774a272eeb

SHA256
8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183

SHA512
bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

Download Submit
memory/1072-62-0x00000000079A0000-0x00000000079BA000-memory.dmp

Filesize
104KB

Download
memory/1072-16-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/1072-20-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/1072-31-0x0000000005E70000-0x00000000061C4000-memory.dmp

Filesize
3.3MB

Download
memory/1072-15-0x0000000002A10000-0x0000000002A46000-memory.dmp

Filesize
216KB

Download
memory/1072-13-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/1072-66-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/1072-60-0x0000000007880000-0x000000000788E000-memory.dmp

Filesize
56KB

Download
memory/1072-63-0x00000000078D0000-0x00000000078D8000-memory.dmp

Filesize
32KB

Download
memory/1072-19-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/1072-38-0x0000000006350000-0x000000000639C000-memory.dmp

Filesize
304KB

Download
memory/1072-37-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/1072-17-0x0000000005460000-0x0000000005A88000-memory.dmp

Filesize
6.2MB

Download
memory/1072-18-0x00000000052D0000-0x00000000052F2000-memory.dmp

Filesize
136KB

Download
memory/1072-14-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/1072-53-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/1072-54-0x0000000007510000-0x00000000075B3000-memory.dmp

Filesize
652KB

Download
memory/1072-52-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/1072-51-0x00000000074F0000-0x000000000750E000-memory.dmp

Filesize
120KB

Download
memory/1072-41-0x00000000755F0000-0x000000007563C000-memory.dmp

Filesize
304KB

Download
memory/1072-56-0x0000000007650000-0x000000000766A000-memory.dmp

Filesize
104KB

Download
memory/1072-55-0x0000000007C90000-0x000000000830A000-memory.dmp

Filesize
6.5MB

Download
memory/1072-57-0x00000000076B0000-0x00000000076BA000-memory.dmp

Filesize
40KB

Download
memory/1072-40-0x00000000068F0000-0x0000000006922000-memory.dmp

Filesize
200KB

Download
memory/1072-39-0x000000007FDB0000-0x000000007FDC0000-memory.dmp

Filesize
64KB

Download
memory/1072-58-0x00000000078E0000-0x0000000007976000-memory.dmp

Filesize
600KB

Download
memory/1072-59-0x0000000007850000-0x0000000007861000-memory.dmp

Filesize
68KB

Download
memory/1072-61-0x0000000007890000-0x00000000078A4000-memory.dmp

Filesize
80KB

Download
memory/2208-199-0x0000000073A90000-0x0000000073D5F000-memory.dmp

Filesize
2.8MB

Download
memory/2208-198-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/2208-200-0x0000000073F80000-0x0000000074048000-memory.dmp

Filesize
800KB

Download
memory/2208-205-0x0000000073DF0000-0x0000000073EFA000-memory.dmp

Filesize
1.0MB

Download
memory/2208-207-0x0000000073D60000-0x0000000073DE8000-memory.dmp

Filesize
544KB

Download
memory/2208-203-0x0000000073F00000-0x0000000073F24000-memory.dmp

Filesize
144KB

Download
memory/2208-202-0x0000000073F30000-0x0000000073F79000-memory.dmp

Filesize
292KB

Download
memory/2208-201-0x0000000074050000-0x000000007411E000-memory.dmp

Filesize
824KB

Download
memory/3256-32-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3256-118-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3256-34-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3256-67-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3256-36-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3256-129-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3256-233-0x00000000738F0000-0x0000000073929000-memory.dmp

Filesize
228KB

Download
memory/3256-68-0x0000000074C70000-0x0000000074CA9000-memory.dmp

Filesize
228KB

Download
memory/3256-114-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3256-116-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3256-117-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3256-30-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3256-119-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3256-120-0x0000000073680000-0x00000000736B9000-memory.dmp

Filesize
228KB

Download
memory/3256-115-0x0000000000400000-0x0000000000BD8000-memory.dmp

Filesize
7.8MB

Download
memory/3356-1-0x0000000000320000-0x00000000009AA000-memory.dmp

Filesize
6.5MB

Download
memory/3356-5-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/3356-4-0x00000000055D0000-0x0000000005624000-memory.dmp

Filesize
336KB

Download
memory/3356-6-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/3356-35-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/3356-10-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download
memory/3356-2-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/3356-3-0x0000000005310000-0x000000000533E000-memory.dmp

Filesize
184KB

Download
memory/3356-0-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/5104-102-0x0000000073F80000-0x0000000074048000-memory.dmp

Filesize
800KB

Download
memory/5104-171-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/5104-181-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/5104-163-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/5104-155-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/5104-147-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/5104-133-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/5104-132-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/5104-121-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/5104-123-0x0000000073F80000-0x0000000074048000-memory.dmp

Filesize
800KB

Download
memory/5104-128-0x0000000073A90000-0x0000000073D5F000-memory.dmp

Filesize
2.8MB

Download
memory/5104-94-0x0000000000310000-0x0000000000714000-memory.dmp

Filesize
4.0MB

Download
memory/5104-103-0x0000000073F30000-0x0000000073F79000-memory.dmp

Filesize
292KB

Download
memory/5104-105-0x0000000073DF0000-0x0000000073EFA000-memory.dmp

Filesize
1.0MB

Download
memory/5104-106-0x0000000001CC0000-0x0000000001D48000-memory.dmp

Filesize
544KB

Download
memory/5104-112-0x0000000074050000-0x000000007411E000-memory.dmp

Filesize
824KB

Download
memory/5104-113-0x0000000073D60000-0x0000000073DE8000-memory.dmp

Filesize
544KB

Download
memory/5104-111-0x0000000001CC0000-0x0000000001F8F000-memory.dmp

Filesize
2.8MB

Download
memory/5104-107-0x0000000073A90000-0x0000000073D5F000-memory.dmp

Filesize
2.8MB

Download
memory/5104-104-0x0000000073F00000-0x0000000073F24000-memory.dmp

Filesize
144KB

Download