bitrat | 954eeaefa91f80e80df9cc550c0cc16f52ad063f8ca3494c40ebc5c51ebc635b | Triage

Analysis

max time kernel
57s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-12-2023 12:20

Sharing

Report Analysis Logs

General

Target

b087a691094f9fdd25b7b1828ff7d9fb.exe
Size

4.6MB
MD5

b087a691094f9fdd25b7b1828ff7d9fb
SHA1

78882a7d0aef6b8b1a190fa50ea82373bf4d3b88
SHA256

954eeaefa91f80e80df9cc550c0cc16f52ad063f8ca3494c40ebc5c51ebc635b
SHA512

4f4e1e6da8b96b1984ba4f5a378b442c5671940af3c0fbd2102b6ba4ef15259d88f23e2df38770e91f2389dd439c507561dec820ad471b14148a28fc747b3a83
SSDEEP

98304:RM3sD4Wo+QeyE5fjBdsc+zm4o6kz5KRVBQAWBxfGU:RM3sD4WSDe8rPkz5KFRu

Score

10^/10

bitrat evasion trojan

Malware Config

Extracted

Family

bitrat

Version

1.33

C2

serviceop091.ddns.net:8000

Attributes

communication_password
c4ca4238a0b923820dcc509a6f75849b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	b087a691094f9fdd25b7b1828ff7d9fb.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	b087a691094f9fdd25b7b1828ff7d9fb.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2076-3-0x00000000004E0000-0x00000000004F8000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b087a691094f9fdd25b7b1828ff7d9fb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b087a691094f9fdd25b7b1828ff7d9fb.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	b087a691094f9fdd25b7b1828ff7d9fb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	b087a691094f9fdd25b7b1828ff7d9fb.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
1232	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b087a691094f9fdd25b7b1828ff7d9fb.exe
"C:\Users\Admin\AppData\Local\Temp\b087a691094f9fdd25b7b1828ff7d9fb.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:2076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2628
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tBJkUjvPFcL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF299.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF299.tmp

Filesize
1KB

MD5
2d55d31fe80ec5f6deb0dd099da59b13

SHA1
745254e20c35a9cbc5dc16af42788797ce7b29d9

SHA256
83247db20fe6a3700ddd31fc182f3426bd53718e51dd7f6ea2d890965e50a246

SHA512
745a7322ad19cb65fcec35d7e5e3ecd18d3657b2557be48a2810be46e56ffb5d7487160fd729587250570400595cc319e2d2f223b5cc9bb7df37c607147f60c3

Download Submit
memory/2076-31-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2076-0-0x0000000000E50000-0x00000000012F6000-memory.dmp

Filesize
4.6MB

Download
memory/2076-2-0x00000000051D0000-0x0000000005210000-memory.dmp

Filesize
256KB

Download
memory/2076-3-0x00000000004E0000-0x00000000004F8000-memory.dmp

Filesize
96KB

Download
memory/2076-4-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2076-5-0x00000000051D0000-0x0000000005210000-memory.dmp

Filesize
256KB

Download
memory/2076-6-0x0000000008800000-0x0000000008C54000-memory.dmp

Filesize
4.3MB

Download
memory/2076-1-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2628-35-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-37-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-19-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-30-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-29-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-23-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-21-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-16-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-14-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-17-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-12-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-39-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-38-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-36-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-27-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-34-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-33-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-41-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-40-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-43-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-42-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-44-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-45-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-46-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-47-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-48-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-49-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-50-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-52-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download
memory/2628-51-0x0000000000400000-0x00000000007C8000-memory.dmp

Filesize
3.8MB

Download