bitrat | f5fbd66fa754b518289e512f61ed872924ff06f80ec48dc08bd270b179d783cd

General

Target

d345138f48b7d610e4f7d280504a5a36.exe
Size

2.7MB
MD5

d345138f48b7d610e4f7d280504a5a36
SHA1

f4f24851b4249d37bcddebbe3a6084266f7dcf2a
SHA256

f5fbd66fa754b518289e512f61ed872924ff06f80ec48dc08bd270b179d783cd
SHA512

3e4fe2ad60059e1bfc696dfaeb1399c3a9c01ff44a6728fe6244dc7ebf27d18429c9e0e9b72a05727911ed6337eece15a242b8d5ce0d723350ad459772069c69
SSDEEP

49152:6PbUDBy6zxsQZr5nGoL6DGrfTt5L5S2+F96XDumJBAwI8KSWBDfUHM6M6a/9K9zE:68r19k6SGeeKD9fUs6Fa/Y9zztzzK

Score

10^/10

bitrat evasion trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

dopeonlineforwarding.xyz:6620

Attributes

communication_password
d74a214501c1c40b2c77e995082f3587
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/2220-3-0x00000000003E0000-0x00000000003F2000-memory.dmp	CustAttr

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

d345138f48b7d610e4f7d280504a5a36.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions d345138f48b7d610e4f7d280504a5a36.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

d345138f48b7d610e4f7d280504a5a36.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools d345138f48b7d610e4f7d280504a5a36.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	d345138f48b7d610e4f7d280504a5a36.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	d345138f48b7d610e4f7d280504a5a36.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d345138f48b7d610e4f7d280504a5a36.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d345138f48b7d610e4f7d280504a5a36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d345138f48b7d610e4f7d280504a5a36.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2772-15-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-20-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-23-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-25-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-22-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-21-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-16-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-31-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-33-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-30-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-35-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-34-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-37-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-36-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-39-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-38-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-40-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-41-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-45-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-46-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2772-47-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d345138f48b7d610e4f7d280504a5a36.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d345138f48b7d610e4f7d280504a5a36.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	d345138f48b7d610e4f7d280504a5a36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2528 schtasks.exe

pid	process
2528	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe
"C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:2220

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NWKQwZWIgp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp"
2⤵
- Creates scheduled task(s)
PID:2528

C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe
"C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe"
2⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp
Filesize
1KB

MD5
2e0e3b05e541417aa99ca664b2a4d67d

SHA1
60bfa0db944790c6a110355dac11dbaa988998c5

SHA256
43c11c427da5b704811e817305546064907be3ac61d8c8934aa297e48b6311b7

SHA512
efde8c5f2bd35445d79f77911b4c34d17b853ef1ee24d95ca9c8cf120f7644bd3e06559c6a1ef126143670db4a8a220a56b1414c8a255742593c326f4037b5b3

Download Submit
memory/2220-24-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2220-0-0x0000000000F40000-0x0000000001206000-memory.dmp

Filesize
2.8MB

Download
memory/2220-2-0x00000000073E0000-0x0000000007420000-memory.dmp

Filesize
256KB

Download
memory/2220-3-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2220-4-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2220-5-0x00000000073E0000-0x0000000007420000-memory.dmp

Filesize
256KB

Download
memory/2220-6-0x0000000005700000-0x00000000058C0000-memory.dmp

Filesize
1.8MB

Download
memory/2220-7-0x00000000069C0000-0x0000000006B38000-memory.dmp

Filesize
1.5MB

Download
memory/2220-1-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2772-16-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-35-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-23-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-25-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-15-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-22-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-21-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2772-13-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-26-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-27-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-31-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-33-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-30-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-29-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-20-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-34-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-37-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-36-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-39-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-38-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-40-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-41-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-43-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-42-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-44-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-45-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-46-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2772-47-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads