bitrat | 954eeaefa91f80e80df9cc550c0cc16f52ad063f8ca3494c40ebc5c51ebc635b

General

Target

b087a691094f9fdd25b7b1828ff7d9fb.exe
Size

4.6MB
MD5

b087a691094f9fdd25b7b1828ff7d9fb
SHA1

78882a7d0aef6b8b1a190fa50ea82373bf4d3b88
SHA256

954eeaefa91f80e80df9cc550c0cc16f52ad063f8ca3494c40ebc5c51ebc635b
SHA512

4f4e1e6da8b96b1984ba4f5a378b442c5671940af3c0fbd2102b6ba4ef15259d88f23e2df38770e91f2389dd439c507561dec820ad471b14148a28fc747b3a83
SSDEEP

98304:RM3sD4Wo+QeyE5fjBdsc+zm4o6kz5KRVBQAWBxfGU:RM3sD4WSDe8rPkz5KFRu

Score

10^/10

bitrat evasion trojan

Malware Config

Extracted

Family

bitrat

Version

1.33

C2

serviceop091.ddns.net:8000

Attributes

communication_password
c4ca4238a0b923820dcc509a6f75849b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

b087a691094f9fdd25b7b1828ff7d9fb.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions b087a691094f9fdd25b7b1828ff7d9fb.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

b087a691094f9fdd25b7b1828ff7d9fb.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools b087a691094f9fdd25b7b1828ff7d9fb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	b087a691094f9fdd25b7b1828ff7d9fb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	b087a691094f9fdd25b7b1828ff7d9fb.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/2076-3-0x00000000004E0000-0x00000000004F8000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b087a691094f9fdd25b7b1828ff7d9fb.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b087a691094f9fdd25b7b1828ff7d9fb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b087a691094f9fdd25b7b1828ff7d9fb.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b087a691094f9fdd25b7b1828ff7d9fb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	b087a691094f9fdd25b7b1828ff7d9fb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	b087a691094f9fdd25b7b1828ff7d9fb.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1232 schtasks.exe

pid	process
1232	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b087a691094f9fdd25b7b1828ff7d9fb.exe
"C:\Users\Admin\AppData\Local\Temp\b087a691094f9fdd25b7b1828ff7d9fb.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2628

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tBJkUjvPFcL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF299.tmp"
2⤵
- Creates scheduled task(s)
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF299.tmp
Filesize
1KB

MD5
2d55d31fe80ec5f6deb0dd099da59b13

SHA1
745254e20c35a9cbc5dc16af42788797ce7b29d9

SHA256
83247db20fe6a3700ddd31fc182f3426bd53718e51dd7f6ea2d890965e50a246

SHA512
745a7322ad19cb65fcec35d7e5e3ecd18d3657b2557be48a2810be46e56ffb5d7487160fd729587250570400595cc319e2d2f223b5cc9bb7df37c607147f60c3

Download Submit
memory/2076-31-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2076-0-0x0000000000E50000-0x00000000012F6000-memory.dmp

Filesize
4.6MB

Download
memory/2076-2-0x00000000051D0000-0x0000000005210000-memory.dmp

Filesize
256KB

Download
memory/2076-3-0x00000000004E0000-0x00000000004F8000-memory.dmp

Filesize
96KB

Download
memory/2076-4-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2076-5-0x00000000051D0000-0x0000000005210000-memory.dmp

Filesize
256KB

Download
memory/2076-6-0x0000000008800000-0x0000000008C54000-memory.dmp

Filesize
4.3MB

Download
memory/2076-1-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2628-35-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-37-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-19-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-30-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-29-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-23-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-21-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-16-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-14-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-17-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-12-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-39-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-38-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-36-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-27-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-34-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-33-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-41-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-40-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-43-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-42-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-44-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-45-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-46-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-47-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-48-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-49-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-50-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-52-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-51-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads