bitrat | 1972ef1673d32236f0c87e52ddab2d5472af789e6de1d70ccd22c4cdf4839e54

General

Target

1986c381aa62399f7e9d0b78e220d251.exe
Size

2.0MB
MD5

1986c381aa62399f7e9d0b78e220d251
SHA1

619700a00961904426b5ecae5b344f753315738d
SHA256

1972ef1673d32236f0c87e52ddab2d5472af789e6de1d70ccd22c4cdf4839e54
SHA512

f1b7baf0576aa873c59bd0dc2eac11d297b6c1d8b6080ca99dcff694338049f09ddb66970a55a327800cbb7855b25d5548d4669426732761bd81991d478d1f15
SSDEEP

49152:AYvMRWsoJqFYqKRd5AyM3xSa3jBSWC7NjPi9F+w:A9RYJqFYFxAbBSa3jAXj9w

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

89.248.173.187:5506

Attributes

communication_password
fcea920f7412b5da7be0cf42b8c93759
install_dir
sazpclv
install_file
wmzr.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1986c381aa62399f7e9d0b78e220d251.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmzr = "C:\\Users\\Admin\\AppData\\Local\\sazpclv\\wmzr.exe"	1986c381aa62399f7e9d0b78e220d251.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmzr = "C:\\Users\\Admin\\AppData\\Local\\sazpclv\\wmzr.exeԀ"	1986c381aa62399f7e9d0b78e220d251.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmzr = "C:\\Users\\Admin\\AppData\\Local\\sazpclv\\wmzr.exe瘀"	1986c381aa62399f7e9d0b78e220d251.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

1986c381aa62399f7e9d0b78e220d251.exe

pid	process
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1986c381aa62399f7e9d0b78e220d251.exe

description pid process target process

PID 3584 set thread context of 4988 3584 1986c381aa62399f7e9d0b78e220d251.exe 1986c381aa62399f7e9d0b78e220d251.exe

description	pid	process	target process
PID 3584 set thread context of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	1986c381aa62399f7e9d0b78e220d251.exe

Suspicious behavior: RenamesItself 29 IoCs

Processes:

1986c381aa62399f7e9d0b78e220d251.exe

pid	process
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1986c381aa62399f7e9d0b78e220d251.exe

description pid process

Token: SeShutdownPrivilege 4988 1986c381aa62399f7e9d0b78e220d251.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1986c381aa62399f7e9d0b78e220d251.exe

pid process

4988 1986c381aa62399f7e9d0b78e220d251.exe
4988 1986c381aa62399f7e9d0b78e220d251.exe

description	pid	process
Token: SeShutdownPrivilege	4988	1986c381aa62399f7e9d0b78e220d251.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1986c381aa62399f7e9d0b78e220d251.exe

description	pid	process	target process
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	1986c381aa62399f7e9d0b78e220d251.exe
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	1986c381aa62399f7e9d0b78e220d251.exe
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	1986c381aa62399f7e9d0b78e220d251.exe
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	1986c381aa62399f7e9d0b78e220d251.exe
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	1986c381aa62399f7e9d0b78e220d251.exe
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	1986c381aa62399f7e9d0b78e220d251.exe
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	1986c381aa62399f7e9d0b78e220d251.exe
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	1986c381aa62399f7e9d0b78e220d251.exe
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	1986c381aa62399f7e9d0b78e220d251.exe
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	1986c381aa62399f7e9d0b78e220d251.exe
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	1986c381aa62399f7e9d0b78e220d251.exe

C:\Users\Admin\AppData\Local\Temp\1986c381aa62399f7e9d0b78e220d251.exe
"C:\Users\Admin\AppData\Local\Temp\1986c381aa62399f7e9d0b78e220d251.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3584

C:\Users\Admin\AppData\Local\Temp\1986c381aa62399f7e9d0b78e220d251.exe
"C:\Users\Admin\AppData\Local\Temp\1986c381aa62399f7e9d0b78e220d251.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3584-2-0x0000000004F00000-0x00000000052C5000-memory.dmp

Filesize
3.8MB

Download
memory/3584-1-0x0000000004D10000-0x0000000004EFE000-memory.dmp

Filesize
1.9MB

Download
memory/4988-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-12-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-6-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-25-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/4988-7-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-9-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-14-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-15-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-16-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/4988-13-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-11-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-10-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-19-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/4988-17-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-5-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-24-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-3-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-4-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-8-0x0000000074C80000-0x0000000074CB9000-memory.dmp

Filesize
228KB

Download
memory/4988-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-29-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-36-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/4988-39-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-40-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-41-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/4988-42-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-45-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-46-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/4988-47-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-50-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-51-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-52-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/4988-53-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-55-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-56-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-57-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads