bitrat | 03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2

Analysis

max time kernel
148s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f33bacbd78bf143a1f8a52b1f8b4cde.exe
Size

3.2MB
MD5

7f33bacbd78bf143a1f8a52b1f8b4cde
SHA1

97ce3f3084b8db04be526422bf9a1feb0d476e25
SHA256

03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2
SHA512

c4dd06b99cbe62a1eb3119bdbfac096f9e54328873d8b26b7139ecd89b9ad51c83d97afed519fb81ff9b94fe2df3cbb3c746cec8ed2722af797c4a03d8e5ea08
SSDEEP

98304:TKC6+yhQD2OYZGQRticLcM1cVr9D0mDpg84G:+CpYQClrRIcLcMir9DrDp

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

snkno.duckdns.org:43413

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral1/memory/2908-3-0x00000000002D0000-0x00000000002E2000-memory.dmp	CustAttr

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2164	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
2164	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
2164	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
2164	7f33bacbd78bf143a1f8a52b1f8b4cde.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2908 set thread context of 2164	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
520	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
Token: SeShutdownPrivilege	2164	7f33bacbd78bf143a1f8a52b1f8b4cde.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2164	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
2164	7f33bacbd78bf143a1f8a52b1f8b4cde.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 520	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	30
PID 2908 wrote to memory of 520	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	30
PID 2908 wrote to memory of 520	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	30
PID 2908 wrote to memory of 520	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	30
PID 2908 wrote to memory of 2164	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	32
PID 2908 wrote to memory of 2164	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	32
PID 2908 wrote to memory of 2164	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	32
PID 2908 wrote to memory of 2164	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	32
PID 2908 wrote to memory of 2164	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	32
PID 2908 wrote to memory of 2164	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	32
PID 2908 wrote to memory of 2164	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	32
PID 2908 wrote to memory of 2164	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	32
PID 2908 wrote to memory of 2164	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	32
PID 2908 wrote to memory of 2164	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	32
PID 2908 wrote to memory of 2164	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	32
PID 2908 wrote to memory of 2164	2908	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	32

C:\Users\Admin\AppData\Local\Temp\7f33bacbd78bf143a1f8a52b1f8b4cde.exe
"C:\Users\Admin\AppData\Local\Temp\7f33bacbd78bf143a1f8a52b1f8b4cde.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WZTuVE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D38.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:520
- C:\Users\Admin\AppData\Local\Temp\7f33bacbd78bf143a1f8a52b1f8b4cde.exe
  "C:\Users\Admin\AppData\Local\Temp\7f33bacbd78bf143a1f8a52b1f8b4cde.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2D38.tmp

Filesize
1KB

MD5
fe54d2b55c7e2cd0a3bbc663097fdbd6

SHA1
ce300409bd60e6192d637812fa028ae2a3b157a7

SHA256
cae3dcd4f38536a5ea8e3ba004162f9f309b8e434af48e08f865c93bedd7bbfd

SHA512
3f08887cd73c3a3c3844e54549a7382ee9777870e2051311e1a1ae44dfccd3b2696794ac04f1a3f9bef68a85765b9b2fb32ca9960277454acfebc7d4a380f5fc

Download Submit
memory/2164-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-49-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-48-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-47-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-46-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-45-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-13-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-15-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-17-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-19-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-21-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2164-24-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-29-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-43-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-42-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-41-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-30-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-32-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-34-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-35-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-36-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-38-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-39-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2164-40-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2908-25-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-2-0x00000000050E0000-0x0000000005120000-memory.dmp

Filesize
256KB

Download
memory/2908-7-0x00000000093A0000-0x0000000009768000-memory.dmp

Filesize
3.8MB

Download
memory/2908-0-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-1-0x0000000000DD0000-0x0000000001104000-memory.dmp

Filesize
3.2MB

Download
memory/2908-6-0x0000000007120000-0x00000000073A2000-memory.dmp

Filesize
2.5MB

Download
memory/2908-5-0x00000000050E0000-0x0000000005120000-memory.dmp

Filesize
256KB

Download
memory/2908-4-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-3-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads