bitrat | 1972ef1673d32236f0c87e52ddab2d5472af789e6de1d70ccd22c4cdf4839e54

Analysis

max time kernel
150s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1986c381aa62399f7e9d0b78e220d251.exe
Size

2.0MB
MD5

1986c381aa62399f7e9d0b78e220d251
SHA1

619700a00961904426b5ecae5b344f753315738d
SHA256

1972ef1673d32236f0c87e52ddab2d5472af789e6de1d70ccd22c4cdf4839e54
SHA512

f1b7baf0576aa873c59bd0dc2eac11d297b6c1d8b6080ca99dcff694338049f09ddb66970a55a327800cbb7855b25d5548d4669426732761bd81991d478d1f15
SSDEEP

49152:AYvMRWsoJqFYqKRd5AyM3xSa3jBSWC7NjPi9F+w:A9RYJqFYFxAbBSa3jAXj9w

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

89.248.173.187:5506

Attributes

communication_password
fcea920f7412b5da7be0cf42b8c93759
install_dir
sazpclv
install_file
wmzr.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmzr = "C:\\Users\\Admin\\AppData\\Local\\sazpclv\\wmzr.exe"	1986c381aa62399f7e9d0b78e220d251.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmzr = "C:\\Users\\Admin\\AppData\\Local\\sazpclv\\wmzr.exeԀ"	1986c381aa62399f7e9d0b78e220d251.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmzr = "C:\\Users\\Admin\\AppData\\Local\\sazpclv\\wmzr.exe瘀"	1986c381aa62399f7e9d0b78e220d251.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3584 set thread context of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	90

Suspicious behavior: RenamesItself 29 IoCs

pid	Process
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4988	1986c381aa62399f7e9d0b78e220d251.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4988	1986c381aa62399f7e9d0b78e220d251.exe
4988	1986c381aa62399f7e9d0b78e220d251.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	90
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	90
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	90
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	90
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	90
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	90
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	90
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	90
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	90
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	90
PID 3584 wrote to memory of 4988	3584	1986c381aa62399f7e9d0b78e220d251.exe	90

C:\Users\Admin\AppData\Local\Temp\1986c381aa62399f7e9d0b78e220d251.exe
"C:\Users\Admin\AppData\Local\Temp\1986c381aa62399f7e9d0b78e220d251.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin\AppData\Local\Temp\1986c381aa62399f7e9d0b78e220d251.exe
  "C:\Users\Admin\AppData\Local\Temp\1986c381aa62399f7e9d0b78e220d251.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3584-2-0x0000000004F00000-0x00000000052C5000-memory.dmp

Filesize
3.8MB

Download
memory/3584-1-0x0000000004D10000-0x0000000004EFE000-memory.dmp

Filesize
1.9MB

Download
memory/4988-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-12-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-6-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-25-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/4988-7-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-9-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-14-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-15-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-16-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/4988-13-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-11-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-10-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-19-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/4988-17-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-5-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-24-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-3-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-4-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-8-0x0000000074C80000-0x0000000074CB9000-memory.dmp

Filesize
228KB

Download
memory/4988-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-29-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-36-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/4988-39-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-40-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-41-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/4988-42-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-45-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-46-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/4988-47-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-50-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-51-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-52-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download
memory/4988-53-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-55-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-56-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4988-57-0x0000000074940000-0x0000000074979000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads