bitrat | 03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2

Analysis

max time kernel
128s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f33bacbd78bf143a1f8a52b1f8b4cde.exe
Size

3.2MB
MD5

7f33bacbd78bf143a1f8a52b1f8b4cde
SHA1

97ce3f3084b8db04be526422bf9a1feb0d476e25
SHA256

03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2
SHA512

c4dd06b99cbe62a1eb3119bdbfac096f9e54328873d8b26b7139ecd89b9ad51c83d97afed519fb81ff9b94fe2df3cbb3c746cec8ed2722af797c4a03d8e5ea08
SSDEEP

98304:TKC6+yhQD2OYZGQRticLcM1cVr9D0mDpg84G:+CpYQClrRIcLcMir9DrDp

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

snkno.duckdns.org:43413

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/1880-7-0x0000000004F00000-0x0000000004F12000-memory.dmp	CustAttr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	7f33bacbd78bf143a1f8a52b1f8b4cde.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2400	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
2400	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
2400	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
2400	7f33bacbd78bf143a1f8a52b1f8b4cde.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1880 set thread context of 2400	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3608	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2400	7f33bacbd78bf143a1f8a52b1f8b4cde.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2400	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
2400	7f33bacbd78bf143a1f8a52b1f8b4cde.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 3608	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	107
PID 1880 wrote to memory of 3608	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	107
PID 1880 wrote to memory of 3608	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	107
PID 1880 wrote to memory of 2400	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	106
PID 1880 wrote to memory of 2400	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	106
PID 1880 wrote to memory of 2400	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	106
PID 1880 wrote to memory of 2400	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	106
PID 1880 wrote to memory of 2400	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	106
PID 1880 wrote to memory of 2400	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	106
PID 1880 wrote to memory of 2400	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	106
PID 1880 wrote to memory of 2400	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	106
PID 1880 wrote to memory of 2400	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	106
PID 1880 wrote to memory of 2400	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	106
PID 1880 wrote to memory of 2400	1880	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	106

C:\Users\Admin\AppData\Local\Temp\7f33bacbd78bf143a1f8a52b1f8b4cde.exe
"C:\Users\Admin\AppData\Local\Temp\7f33bacbd78bf143a1f8a52b1f8b4cde.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\7f33bacbd78bf143a1f8a52b1f8b4cde.exe
  "C:\Users\Admin\AppData\Local\Temp\7f33bacbd78bf143a1f8a52b1f8b4cde.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2400
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WZTuVE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp12B8.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp12B8.tmp

Filesize
1KB

MD5
604c9c669ee48d9f355ad700e119f969

SHA1
219094b9cbc3843485e664537e928c209f23f15c

SHA256
407e546b7434ad9c81c3b8cbed54083852f4ba5332a65db6b854e9bef3f00602

SHA512
ebaf356784aa70b48f4026b3813b26c6f5dd7cd57ca51d82e87571446070826ec602cb267e6cba79617a200b7ee192d23f706da91757b0a4e81fb423eb3d83fc

Download Submit
memory/1880-1-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/1880-0-0x0000000000200000-0x0000000000534000-memory.dmp

Filesize
3.2MB

Download
memory/1880-3-0x0000000004DE0000-0x0000000004E72000-memory.dmp

Filesize
584KB

Download
memory/1880-4-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1880-2-0x00000000052D0000-0x0000000005874000-memory.dmp

Filesize
5.6MB

Download
memory/1880-5-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

Filesize
40KB

Download
memory/1880-6-0x0000000005110000-0x00000000051AC000-memory.dmp

Filesize
624KB

Download
memory/1880-7-0x0000000004F00000-0x0000000004F12000-memory.dmp

Filesize
72KB

Download
memory/1880-8-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/1880-9-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1880-10-0x0000000007570000-0x00000000077F2000-memory.dmp

Filesize
2.5MB

Download
memory/1880-11-0x0000000009AA0000-0x0000000009E68000-memory.dmp

Filesize
3.8MB

Download
memory/1880-21-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/2400-17-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-22-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-24-0x00000000745E0000-0x0000000074619000-memory.dmp

Filesize
228KB

Download
memory/2400-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-29-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-30-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-32-0x00000000749C0000-0x00000000749F9000-memory.dmp

Filesize
228KB

Download
memory/2400-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-25-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-34-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-33-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-35-0x00000000749C0000-0x00000000749F9000-memory.dmp

Filesize
228KB

Download
memory/2400-36-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-39-0x00000000749C0000-0x00000000749F9000-memory.dmp

Filesize
228KB

Download
memory/2400-38-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-41-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-42-0x00000000749C0000-0x00000000749F9000-memory.dmp

Filesize
228KB

Download
memory/2400-40-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-43-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-45-0x00000000749C0000-0x00000000749F9000-memory.dmp

Filesize
228KB

Download
memory/2400-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-47-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-46-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-48-0x00000000749C0000-0x00000000749F9000-memory.dmp

Filesize
228KB

Download
memory/2400-51-0x00000000749C0000-0x00000000749F9000-memory.dmp

Filesize
228KB

Download
memory/2400-50-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-49-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-52-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2400-54-0x00000000749C0000-0x00000000749F9000-memory.dmp

Filesize
228KB

Download
memory/2400-53-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads