bitrat | e10c59a299c2ac508cc2184b7a51429af0d2a08ee402be587feb96afc21a8200

Analysis

max time kernel
20s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fc5241baee22db7f0d86911824fec1d.exe
Size

1.8MB
MD5

1fc5241baee22db7f0d86911824fec1d
SHA1

e296a5096a939ce0d6f0505b73d6c23ca1345b85
SHA256

e10c59a299c2ac508cc2184b7a51429af0d2a08ee402be587feb96afc21a8200
SHA512

95e5251a5bb3719009ca043ad89d552cc6dab79648698bb4e23c8e4ba211307a1b0a72decd86dc10440912e701bc1e1551d1a423de4db98b47cee314e9a3b309
SSDEEP

49152:uKrA7xvTHIKkeLkilPcFxRxuH3MabTyikw:7EFvTHIKkeLkWUBsH3nbTyij

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

hopyboss.com:32180

Attributes

communication_password
018a9567ea15470312c40d3e5d6bbcd4
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1396	1fc5241baee22db7f0d86911824fec1d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 1396	2484	1fc5241baee22db7f0d86911824fec1d.exe	96

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	1fc5241baee22db7f0d86911824fec1d.exe
Token: SeShutdownPrivilege	1396	1fc5241baee22db7f0d86911824fec1d.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1396	2484	1fc5241baee22db7f0d86911824fec1d.exe	96
PID 2484 wrote to memory of 1396	2484	1fc5241baee22db7f0d86911824fec1d.exe	96
PID 2484 wrote to memory of 1396	2484	1fc5241baee22db7f0d86911824fec1d.exe	96
PID 2484 wrote to memory of 1396	2484	1fc5241baee22db7f0d86911824fec1d.exe	96
PID 2484 wrote to memory of 1396	2484	1fc5241baee22db7f0d86911824fec1d.exe	96
PID 2484 wrote to memory of 1396	2484	1fc5241baee22db7f0d86911824fec1d.exe	96
PID 2484 wrote to memory of 1396	2484	1fc5241baee22db7f0d86911824fec1d.exe	96
PID 2484 wrote to memory of 1396	2484	1fc5241baee22db7f0d86911824fec1d.exe	96
PID 2484 wrote to memory of 1396	2484	1fc5241baee22db7f0d86911824fec1d.exe	96
PID 2484 wrote to memory of 1396	2484	1fc5241baee22db7f0d86911824fec1d.exe	96
PID 2484 wrote to memory of 1396	2484	1fc5241baee22db7f0d86911824fec1d.exe	96

C:\Users\Admin\AppData\Local\Temp\1fc5241baee22db7f0d86911824fec1d.exe
"C:\Users\Admin\AppData\Local\Temp\1fc5241baee22db7f0d86911824fec1d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\1fc5241baee22db7f0d86911824fec1d.exe
  "C:\Users\Admin\AppData\Local\Temp\1fc5241baee22db7f0d86911824fec1d.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1396-27-0x0000000074F10000-0x0000000074F49000-memory.dmp

Filesize
228KB

Download
memory/1396-52-0x0000000074F10000-0x0000000074F49000-memory.dmp

Filesize
228KB

Download
memory/1396-51-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-50-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-48-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-49-0x0000000074F10000-0x0000000074F49000-memory.dmp

Filesize
228KB

Download
memory/1396-47-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-9-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-10-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-45-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-13-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-12-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-16-0x0000000074B30000-0x0000000074B69000-memory.dmp

Filesize
228KB

Download
memory/1396-17-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-19-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-46-0x0000000074F10000-0x0000000074F49000-memory.dmp

Filesize
228KB

Download
memory/1396-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-24-0x0000000074F10000-0x0000000074F49000-memory.dmp

Filesize
228KB

Download
memory/1396-22-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-25-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-21-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-42-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-29-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-31-0x0000000074F10000-0x0000000074F49000-memory.dmp

Filesize
228KB

Download
memory/1396-30-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-33-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-34-0x0000000074F10000-0x0000000074F49000-memory.dmp

Filesize
228KB

Download
memory/1396-32-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-35-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-37-0x0000000074F10000-0x0000000074F49000-memory.dmp

Filesize
228KB

Download
memory/1396-36-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-40-0x0000000074F10000-0x0000000074F49000-memory.dmp

Filesize
228KB

Download
memory/1396-39-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-38-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-41-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1396-43-0x0000000074F10000-0x0000000074F49000-memory.dmp

Filesize
228KB

Download
memory/2484-3-0x0000000005390000-0x0000000005934000-memory.dmp

Filesize
5.6MB

Download
memory/2484-6-0x0000000004D00000-0x0000000004D0A000-memory.dmp

Filesize
40KB

Download
memory/2484-2-0x0000000004D40000-0x0000000004DDC000-memory.dmp

Filesize
624KB

Download
memory/2484-14-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/2484-8-0x000000000B8F0000-0x000000000BCB8000-memory.dmp

Filesize
3.8MB

Download
memory/2484-7-0x00000000081B0000-0x000000000832E000-memory.dmp

Filesize
1.5MB

Download
memory/2484-5-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2484-0-0x0000000000120000-0x00000000002EA000-memory.dmp

Filesize
1.8MB

Download
memory/2484-1-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/2484-4-0x0000000004DE0000-0x0000000004E72000-memory.dmp

Filesize
584KB

Download