bitrat | 49568dbced141895672057dc8244ce926ba027f7d04915a3a8504584f56b2c87

Analysis

max time kernel
42s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2023 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4a26290880d3fb80df39f433ebb0490.exe
Size

2.6MB
MD5

b4a26290880d3fb80df39f433ebb0490
SHA1

68e61782384bac82a8b2fbbac8958a1a5dd3fe5d
SHA256

49568dbced141895672057dc8244ce926ba027f7d04915a3a8504584f56b2c87
SHA512

96438799bcf1a79f992ddd11ecedb7101a0c816b1eff1db78f2c1b48239a110a08860a1ff0f36aad883332cbb3ff690a842478dd4dffb5a94f35082404ba2182
SSDEEP

49152:YCqoHMDzSvPB+6y3im0rc56ErvHHxjLH1yzJo9pPHq8jhWEgTi:YLosavPB9Frc56EjHxjLH1GipPN8Er

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.35

storage.nsupdate.info:8973

Attributes

communication_password
bf771c9d082071fe80b18bb678220682
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3848-115-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3848-121-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3848-122-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3848-124-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3848-126-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3848-127-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3848-125-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3848-128-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3848-123-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3848-142-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3848-145-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3848-144-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4020	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b4a26290880d3fb80df39f433ebb0490.exe
"C:\Users\Admin\AppData\Local\Temp\b4a26290880d3fb80df39f433ebb0490.exe"
1⤵
PID:4988
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b4a26290880d3fb80df39f433ebb0490.exe"
  2⤵
  PID:4520
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QhNsxxGtGmp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF906.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4020
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QhNsxxGtGmp.exe"
  2⤵
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:3128
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QhNsxxGtGmp.exe"
  2⤵
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0821c1e02c0b9bb8ff86e48f8c9d2e28

SHA1
b5815a251f37deeb4b8ced52f3a59937e525f33e

SHA256
8704d51103dcc17f13e5a5e258bd22f0e5f238dd691d55c6624583bb3d84da44

SHA512
7336a2d6e20be79b9b3dd0a0ebc20c31fda94c0d9fbd499b5f2f2d067530da89e1ccc3848e7ac02d82ce051d2840fac108b763a3cf06dd86401588f0aad07e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
27bc229296b203be28ce24c95980e4f2

SHA1
164c55177a1b3a9d64fcf20120f2eb4a30e26cec

SHA256
66c94f867b49d0b3d389883e56e3c07cb95a28bb3f48c72897c5b453d4484082

SHA512
ce7b98f1180f1485aa247096a0081eae5110ef6c26f9f6a6235693c7dadeba018419e5e0f9bb68b3f7d2053cda941bdf053d723eacfc87c4f1c00aa935f5752b

Download Submit
memory/1484-140-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/1484-129-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1484-58-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1484-56-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/1484-99-0x000000006F8F0000-0x000000006F93C000-memory.dmp

Filesize
304KB

Download
memory/1484-111-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1484-57-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/2640-87-0x000000006F8F0000-0x000000006F93C000-memory.dmp

Filesize
304KB

Download
memory/2640-137-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2640-110-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2640-118-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/2640-119-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/2640-37-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/2640-38-0x00000000048E0000-0x00000000048F0000-memory.dmp

Filesize
64KB

Download
memory/2640-113-0x00000000072D0000-0x00000000072DE000-memory.dmp

Filesize
56KB

Download
memory/2640-36-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2640-117-0x00000000073C0000-0x00000000073C8000-memory.dmp

Filesize
32KB

Download
memory/2640-85-0x000000007F000000-0x000000007F010000-memory.dmp

Filesize
64KB

Download
memory/3848-142-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-128-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-145-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-47-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-46-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-141-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-143-0x0000000075380000-0x00000000753B9000-memory.dmp

Filesize
228KB

Download
memory/3848-146-0x0000000075380000-0x00000000753B9000-memory.dmp

Filesize
228KB

Download
memory/3848-144-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-148-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-147-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-123-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-151-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-150-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-130-0x0000000070CF0000-0x0000000070D29000-memory.dmp

Filesize
228KB

Download
memory/3848-54-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-125-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-127-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-126-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-124-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-154-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-122-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-121-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-120-0x0000000070FA0000-0x0000000070FD9000-memory.dmp

Filesize
228KB

Download
memory/3848-153-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-156-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-157-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-52-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-159-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-160-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3848-115-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4520-14-0x0000000002400000-0x0000000002436000-memory.dmp

Filesize
216KB

Download
memory/4520-18-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/4520-114-0x0000000007290000-0x00000000072A4000-memory.dmp

Filesize
80KB

Download
memory/4520-15-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/4520-116-0x0000000007390000-0x00000000073AA000-memory.dmp

Filesize
104KB

Download
memory/4520-109-0x00000000072D0000-0x0000000007366000-memory.dmp

Filesize
600KB

Download
memory/4520-16-0x0000000004F40000-0x0000000005568000-memory.dmp

Filesize
6.2MB

Download
memory/4520-98-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/4520-86-0x00000000070C0000-0x00000000070CA000-memory.dmp

Filesize
40KB

Download
memory/4520-97-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/4520-17-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/4520-23-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/4520-84-0x0000000007050000-0x000000000706A000-memory.dmp

Filesize
104KB

Download
memory/4520-83-0x0000000007690000-0x0000000007D0A000-memory.dmp

Filesize
6.5MB

Download
memory/4520-69-0x0000000006F00000-0x0000000006F32000-memory.dmp

Filesize
200KB

Download
memory/4520-81-0x0000000006F40000-0x0000000006FE3000-memory.dmp

Filesize
652KB

Download
memory/4520-19-0x0000000004E60000-0x0000000004E82000-memory.dmp

Filesize
136KB

Download
memory/4520-34-0x0000000005840000-0x0000000005B94000-memory.dmp

Filesize
3.3MB

Download
memory/4520-82-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/4520-139-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/4520-112-0x0000000007250000-0x0000000007261000-memory.dmp

Filesize
68KB

Download
memory/4520-40-0x0000000005D70000-0x0000000005DBC000-memory.dmp

Filesize
304KB

Download
memory/4520-80-0x0000000006EC0000-0x0000000006EDE000-memory.dmp

Filesize
120KB

Download
memory/4520-70-0x000000006F8F0000-0x000000006F93C000-memory.dmp

Filesize
304KB

Download
memory/4520-68-0x000000007FA20000-0x000000007FA30000-memory.dmp

Filesize
64KB

Download
memory/4520-39-0x0000000005D20000-0x0000000005D3E000-memory.dmp

Filesize
120KB

Download
memory/4988-1-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/4988-3-0x0000000005B70000-0x0000000006114000-memory.dmp

Filesize
5.6MB

Download
memory/4988-55-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/4988-2-0x00000000054A0000-0x000000000553C000-memory.dmp

Filesize
624KB

Download
memory/4988-4-0x0000000005660000-0x00000000056F2000-memory.dmp

Filesize
584KB

Download
memory/4988-7-0x0000000005700000-0x0000000005756000-memory.dmp

Filesize
344KB

Download
memory/4988-13-0x0000000008C70000-0x0000000008CD6000-memory.dmp

Filesize
408KB

Download
memory/4988-12-0x00000000077C0000-0x0000000007938000-memory.dmp

Filesize
1.5MB

Download
memory/4988-11-0x00000000075D0000-0x0000000007790000-memory.dmp

Filesize
1.8MB

Download
memory/4988-10-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/4988-9-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/4988-8-0x00000000015E0000-0x00000000015F2000-memory.dmp

Filesize
72KB

Download
memory/4988-0-0x0000000000860000-0x0000000000AFA000-memory.dmp

Filesize
2.6MB

Download
memory/4988-6-0x0000000005590000-0x000000000559A000-memory.dmp

Filesize
40KB

Download
memory/4988-5-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads