bitrat | 42c77364cebcb01102a85a8bb9a053a0e01d633c2e9710256e9d174a9f67effd

General

Target

cb1210c9515e3e6bf5716048cb7ba3cf.exe
Size

2.1MB
MD5

cb1210c9515e3e6bf5716048cb7ba3cf
SHA1

9a57f751a71a63ac9b998a6a19b7a38b96349e53
SHA256

42c77364cebcb01102a85a8bb9a053a0e01d633c2e9710256e9d174a9f67effd
SHA512

ee6ca757e4dec2230255c26f66dfb20e225e22581e3c90359f168e976a5e12250ed24dd5305b6c59a673036841cedce682601fef5f4c9304843571c941c96990
SSDEEP

49152:1kIxSRHorTDMyDmFscevbcd/Fkl1DI8wGLSK4Erm8jJE3hGJGYRV6O37PckR1h:1k8SeDMbFs3Ad/FUIyHpcMhn1370kR1

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

gotti.ddnsgeek.com:8088

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

cb1210c9515e3e6bf5716048cb7ba3cf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\oiqjWh2890agfhgW\\Ux3JQeGsFGk2.exe\",explorer.exe"	cb1210c9515e3e6bf5716048cb7ba3cf.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

vbc.exe

pid process

4508 vbc.exe
4508 vbc.exe
4508 vbc.exe
4508 vbc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

cb1210c9515e3e6bf5716048cb7ba3cf.exe

description pid process target process

PID 932 set thread context of 4508 932 cb1210c9515e3e6bf5716048cb7ba3cf.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cb1210c9515e3e6bf5716048cb7ba3cf.exe

pid process

932 cb1210c9515e3e6bf5716048cb7ba3cf.exe
932 cb1210c9515e3e6bf5716048cb7ba3cf.exe

pid	process
4508	vbc.exe
4508	vbc.exe
4508	vbc.exe
4508	vbc.exe

description	pid	process	target process
PID 932 set thread context of 4508	932	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe

pid	process
932	cb1210c9515e3e6bf5716048cb7ba3cf.exe
932	cb1210c9515e3e6bf5716048cb7ba3cf.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

cb1210c9515e3e6bf5716048cb7ba3cf.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	932	cb1210c9515e3e6bf5716048cb7ba3cf.exe
Token: SeDebugPrivilege	932	cb1210c9515e3e6bf5716048cb7ba3cf.exe
Token: SeShutdownPrivilege	4508	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exe

pid process

4508 vbc.exe
4508 vbc.exe

pid	process
4508	vbc.exe
4508	vbc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cb1210c9515e3e6bf5716048cb7ba3cf.exe

description	pid	process	target process
PID 932 wrote to memory of 4508	932	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 932 wrote to memory of 4508	932	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 932 wrote to memory of 4508	932	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 932 wrote to memory of 4508	932	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 932 wrote to memory of 4508	932	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 932 wrote to memory of 4508	932	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 932 wrote to memory of 4508	932	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 932 wrote to memory of 4508	932	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 932 wrote to memory of 4508	932	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 932 wrote to memory of 4508	932	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 932 wrote to memory of 4508	932	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\cb1210c9515e3e6bf5716048cb7ba3cf.exe
"C:\Users\Admin\AppData\Local\Temp\cb1210c9515e3e6bf5716048cb7ba3cf.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/932-0-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/932-1-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/932-2-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/932-3-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/932-4-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/932-5-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/4508-8-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-9-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-10-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-12-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-13-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-15-0x0000000072DC0000-0x0000000072DF9000-memory.dmp

Filesize
228KB

Download
memory/4508-16-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-17-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-21-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-22-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-24-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-25-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4508-29-0x0000000072AB0000-0x0000000072AE9000-memory.dmp

Filesize
228KB

Download
memory/4508-30-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads