bitrat | e48521f8257aa45c2572c48fd198a1dea0aaaa940a9fa32c0191a6c791096805

Analysis

max time kernel
45s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8833a73cf9b3284a719dff6a8f59f734.exe
Size

6.5MB
MD5

8833a73cf9b3284a719dff6a8f59f734
SHA1

d795f9c44357a4c04b684fe0033c120158d648df
SHA256

e48521f8257aa45c2572c48fd198a1dea0aaaa940a9fa32c0191a6c791096805
SHA512

60b23fe7e3a493149f505241bb32f0d752d3bc7b04bf6ea6c43dda1964ba7d6f25db8e3e44f727e8d83ce8dbc12ed1999037436f8e2163c478f314bbc8b9ce2e
SSDEEP

98304:emnH7AFiyyu8M44tJKcSG0gEsSbunm62/uGNeLL:DEoDu8M4WJKM9gBNi

Score

10^/10

bitrat agilenet persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

snkno.duckdns.org:43413

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe	8833a73cf9b3284a719dff6a8f59f734.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe	8833a73cf9b3284a719dff6a8f59f734.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/4584-7-0x0000000007620000-0x0000000007648000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ggfjgfguytdffdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jgffghjhgffghjgfd.exe"	reg.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe
4584	8833a73cf9b3284a719dff6a8f59f734.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4584	8833a73cf9b3284a719dff6a8f59f734.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 628	4584	8833a73cf9b3284a719dff6a8f59f734.exe	98
PID 4584 wrote to memory of 628	4584	8833a73cf9b3284a719dff6a8f59f734.exe	98
PID 4584 wrote to memory of 628	4584	8833a73cf9b3284a719dff6a8f59f734.exe	98
PID 628 wrote to memory of 4884	628	cmd.exe	96
PID 628 wrote to memory of 4884	628	cmd.exe	96
PID 628 wrote to memory of 4884	628	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe
"C:\Users\Admin\AppData\Local\Temp\8833a73cf9b3284a719dff6a8f59f734.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ggfjgfguytdffdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe"
  2⤵
  PID:4024
- - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
    3⤵
    PID:3712

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ggfjgfguytdffdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe"
1⤵
- Adds Run key to start application
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe

Filesize
1.1MB

MD5
7553a6fc35539a2dd1ce0e1baec5b1c9

SHA1
ae3ffcbf5eec57b33b28fe4d778626deebc8f2e2

SHA256
1093c4318dbd26a67567a54a2a7447f64750a4911b35de80df6f6ffa14f01482

SHA512
a7e9a04f615e6c61d8675de45f650d564eda5a79aecbe227d2bc8bf2a5a2a5b1f6800fb6779f0dba1bc5bbe3711d8999d4fbd98e05c337eebdb6c7ba2de6e96b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe

Filesize
1.4MB

MD5
47107f9c8c9cba3b6fae857e9a063e27

SHA1
6f2460a2feef09c19441f789b9970a30653772fa

SHA256
4b2c2035d9cbfe00e1ce109bb93ab8b280d4ad87f40c308b31399a8b66cd143f

SHA512
6bf83d68bc8634290fc06809827267a4b183dd439f5641cf00f635979670aa1c78b50f8a303ce3173b9f54c737264d27b567c5eeb1cdbd9433b082d37c8e9f0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jgffghjhgffghjgfd.exe

Filesize
893KB

MD5
4082db30008af14669372285b353b42e

SHA1
c4f2ff679aaf58fed0225720a74fb81a0ff4e04e

SHA256
b8f4d8a2c50a06b4af7b8d608d7de68b04ccd8a58c8c13960a393913ff1fd8ec

SHA512
e5e068089fafde14ef794623cc5e691c8ce935af86ba9018347a9f08616e6296665cac40c5a5ea0cf735278f451f0eecfec4285c96c9e574b79099c0e0a564c7

Download Submit
memory/3712-46-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-55-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-41-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-62-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-39-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-63-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-64-0x0000000070240000-0x0000000070279000-memory.dmp

Filesize
228KB

Download
memory/3712-59-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-61-0x0000000070240000-0x0000000070279000-memory.dmp

Filesize
228KB

Download
memory/3712-60-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-56-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-58-0x0000000070240000-0x0000000070279000-memory.dmp

Filesize
228KB

Download
memory/3712-57-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-42-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-53-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-54-0x0000000070240000-0x0000000070279000-memory.dmp

Filesize
228KB

Download
memory/3712-52-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-45-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-48-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-49-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-51-0x0000000070240000-0x0000000070279000-memory.dmp

Filesize
228KB

Download
memory/3712-50-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-40-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-47-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3712-43-0x0000000070320000-0x0000000070359000-memory.dmp

Filesize
228KB

Download
memory/4024-28-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4024-31-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4024-29-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4024-30-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4024-35-0x0000000004F20000-0x0000000004F26000-memory.dmp

Filesize
24KB

Download
memory/4024-34-0x0000000004F10000-0x0000000004F24000-memory.dmp

Filesize
80KB

Download
memory/4024-33-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4024-32-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4584-0-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4584-3-0x0000000006300000-0x00000000068A4000-memory.dmp

Filesize
5.6MB

Download
memory/4584-6-0x00000000062D0000-0x00000000062E0000-memory.dmp

Filesize
64KB

Download
memory/4584-9-0x00000000076A0000-0x00000000076C2000-memory.dmp

Filesize
136KB

Download
memory/4584-27-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4584-4-0x0000000005D50000-0x0000000005DE2000-memory.dmp

Filesize
584KB

Download
memory/4584-2-0x0000000005B70000-0x0000000005C0C000-memory.dmp

Filesize
624KB

Download
memory/4584-1-0x0000000000B60000-0x00000000011DC000-memory.dmp

Filesize
6.5MB

Download
memory/4584-5-0x0000000005DF0000-0x0000000006144000-memory.dmp

Filesize
3.3MB

Download
memory/4584-13-0x00000000062D0000-0x00000000062E0000-memory.dmp

Filesize
64KB

Download
memory/4584-12-0x00000000062D0000-0x00000000062E0000-memory.dmp

Filesize
64KB

Download
memory/4584-11-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4584-10-0x00000000062D0000-0x00000000062E0000-memory.dmp

Filesize
64KB

Download
memory/4584-8-0x00000000076E0000-0x0000000007746000-memory.dmp

Filesize
408KB

Download
memory/4584-7-0x0000000007620000-0x0000000007648000-memory.dmp

Filesize
160KB

Download