bitrat | 4e1c013bf36b27f78e0fdc7ab5a67bc3f62f33c97f5848daf40df7ec7d842fa4

General

Target

15478642d48681a67374167d173d4f84.exe
Size

4.9MB
MD5

15478642d48681a67374167d173d4f84
SHA1

9790217e8b9a2134f2abf451ac68c847dc31c905
SHA256

4e1c013bf36b27f78e0fdc7ab5a67bc3f62f33c97f5848daf40df7ec7d842fa4
SHA512

4b8c58f0605c562bddddabff542b76a06a65206c90c3bf430752785287fc88afc2a38c7780e1d94650735ec9a0f45ad8d9540e10fd0300734626c867d0ee5819
SSDEEP

98304:6jT71ntlY5xzFunCcZ2iH9oFfQPjpw6D8cKuEBQ5Qbg+db778Fm/S3DdK1NPgf6K:i3fCcZZ2VQtbXQ9A5DdK1NPgCWXaYRX7

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

185.215.113.102:1234

Attributes

communication_password
5d55208d3d81a0bf50741250fe5b93d7
install_dir
GuiterX
install_file
GuiterX.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

15478642d48681a67374167d173d4f84.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GuiterX = "C:\\Users\\Admin\\AppData\\Local\\GuiterX\\GuiterX.exe퀀"	15478642d48681a67374167d173d4f84.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GuiterX = "C:\\Users\\Admin\\AppData\\Local\\GuiterX\\GuiterX.exeȀ"	15478642d48681a67374167d173d4f84.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GuiterX = "C:\\Users\\Admin\\AppData\\Local\\GuiterX\\GuiterX.exe⬀"	15478642d48681a67374167d173d4f84.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GuiterX = "C:\\Users\\Admin\\AppData\\Local\\GuiterX\\GuiterX.exe팀"	15478642d48681a67374167d173d4f84.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GuiterX = "C:\\Users\\Admin\\AppData\\Local\\GuiterX\\GuiterX.exe"	15478642d48681a67374167d173d4f84.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

15478642d48681a67374167d173d4f84.exe

pid	process
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe

Suspicious behavior: RenamesItself 11 IoCs

Processes:

15478642d48681a67374167d173d4f84.exe

pid	process
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

15478642d48681a67374167d173d4f84.exe

description pid process

Token: SeShutdownPrivilege 3532 15478642d48681a67374167d173d4f84.exe

description	pid	process
Token: SeShutdownPrivilege	3532	15478642d48681a67374167d173d4f84.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

15478642d48681a67374167d173d4f84.exe

pid	process
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

15478642d48681a67374167d173d4f84.exe

pid	process
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe
3532	15478642d48681a67374167d173d4f84.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

15478642d48681a67374167d173d4f84.exe

pid process

3532 15478642d48681a67374167d173d4f84.exe
3532 15478642d48681a67374167d173d4f84.exe

C:\Users\Admin\AppData\Local\Temp\15478642d48681a67374167d173d4f84.exe
"C:\Users\Admin\AppData\Local\Temp\15478642d48681a67374167d173d4f84.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3532-0-0x0000000000400000-0x00000000008EE000-memory.dmp

Filesize
4.9MB

Download
memory/3532-1-0x0000000000400000-0x00000000008EE000-memory.dmp

Filesize
4.9MB

Download
memory/3532-2-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/3532-3-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/3532-4-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/3532-5-0x00000000740A0000-0x00000000740D9000-memory.dmp

Filesize
228KB

Download
memory/3532-6-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/3532-7-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/3532-9-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/3532-10-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/3532-11-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/3532-13-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/3532-12-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/3532-14-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/3532-15-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/3532-16-0x0000000073D70000-0x0000000073DA9000-memory.dmp

Filesize
228KB

Download
memory/3532-17-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/3532-18-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/3532-19-0x0000000073D70000-0x0000000073DA9000-memory.dmp

Filesize
228KB

Download
memory/3532-20-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/3532-21-0x0000000003010000-0x00000000033DE000-memory.dmp

Filesize
3.8MB

Download
memory/3532-22-0x0000000073D70000-0x0000000073DA9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads