bitrat | 2a0152a3160b530e6fb4b5427b10e610bb2d3b375b38d9a1437d3ead6ff4b92d

General

Target

07756f43e7e8a0f53e79c210ddb2a0f6.exe
Size

3.7MB
MD5

07756f43e7e8a0f53e79c210ddb2a0f6
SHA1

c38c5d947fd9ecc9a326756307b3c1449dff00b7
SHA256

2a0152a3160b530e6fb4b5427b10e610bb2d3b375b38d9a1437d3ead6ff4b92d
SHA512

e37089aa356af57c698ae86a7d1aaf1417ebc6d055cc448ccde1148d4f01361c529559595080d9e207b29b9f4b503b4359981da34ec0d1ecded0c916c16170d6
SSDEEP

98304:n372j4yiDFuXOvWn5ZTda/lt0Jj0pyC2sGiupo7Jusew:niKHvWn5JdYT090svzo7Jug

Score

10^/10

bitrat blister loader trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

139.28.219.45:443

Attributes

communication_password
a76d949640a165da25ccfe9a8fd82c8a
tor_process
tor

Signatures

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect Blister loader x32 2 IoCs

loader

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\bibs_work\WMVCORE.DLL	family_blister_x32
behavioral1/memory/1752-3-0x000000002BD90000-0x000000002C277000-memory.dmp	family_blister_x32

Loads dropped DLL 1 IoCs

Processes:

07756f43e7e8a0f53e79c210ddb2a0f6.exe

pid process

1752 07756f43e7e8a0f53e79c210ddb2a0f6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

07756f43e7e8a0f53e79c210ddb2a0f6.exe

pid	process
1752	07756f43e7e8a0f53e79c210ddb2a0f6.exe
1752	07756f43e7e8a0f53e79c210ddb2a0f6.exe
1752	07756f43e7e8a0f53e79c210ddb2a0f6.exe
1752	07756f43e7e8a0f53e79c210ddb2a0f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\ProgramData\Helps_Config\Helps_Config.exe	nsis_installer_1
C:\ProgramData\Helps_Config\Helps_Config.exe	nsis_installer_2

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

07756f43e7e8a0f53e79c210ddb2a0f6.exe

description	pid	process
Token: SeDebugPrivilege	1752	07756f43e7e8a0f53e79c210ddb2a0f6.exe
Token: SeShutdownPrivilege	1752	07756f43e7e8a0f53e79c210ddb2a0f6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

07756f43e7e8a0f53e79c210ddb2a0f6.exe

pid process

1752 07756f43e7e8a0f53e79c210ddb2a0f6.exe
1752 07756f43e7e8a0f53e79c210ddb2a0f6.exe

C:\Users\Admin\AppData\Local\Temp\07756f43e7e8a0f53e79c210ddb2a0f6.exe
"C:\Users\Admin\AppData\Local\Temp\07756f43e7e8a0f53e79c210ddb2a0f6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Helps_Config\Helps_Config.exe

Filesize
109KB

MD5
aa6850712e9f32426d27a9d6a57d2f9d

SHA1
97218ea3d0ed5d0e66bc807b4a636e3d741852d0

SHA256
107cf9f75765b0866ee3417eb169006aabd5bc20c38aa9786a17f234740c76fa

SHA512
0be6bb118c248fca06869686580f77918bf78ec157a764b88851fcce45b007ffe4767ac60868540d92ac98f075750c9a437870ce058a5e4d06a63e2c58429109

Download Submit
\Users\Admin\AppData\Local\Temp\bibs_work\WMVCORE.DLL

Filesize
280KB

MD5
ff49304f8d64bfde7d41354c68ae756a

SHA1
332bbc9dc9c07acb942c12da37df58173515234b

SHA256
0097d7e92ca814025d74edde9ff9ce00dda57bff09d79a43ac8fee0fac4fd27c

SHA512
d7b132cf82414340f5d841f061e8ea971c39ff62598db638d10f554979cc280d54753155aa523332056d279e12b57a2557674f1f82aa5a8325fb6551396cfee9

Download Submit
memory/1752-19-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-20-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-13-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-14-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-16-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-17-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-15-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-18-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-3-0x000000002BD90000-0x000000002C277000-memory.dmp

Filesize
4.9MB

Download
memory/1752-8-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-21-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-22-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-25-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-26-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-27-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-28-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-29-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/1752-30-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads