bitrat | 08ef1a2643f2d97ea39aa628a6a56a1109db245ae5c795278b4529d9e2f4a4c7

General

Target

49b2e2c622aed1aaccb8f17d500b7321.exe
Size

2.6MB
MD5

49b2e2c622aed1aaccb8f17d500b7321
SHA1

a73b715a6ce39a6983c29765de0eef9156899ed3
SHA256

08ef1a2643f2d97ea39aa628a6a56a1109db245ae5c795278b4529d9e2f4a4c7
SHA512

0da166b392bcfe55c700a123414b03d706f5eb3c585e905f7db32b0db004f189c517f11ed343428ac92a9559538f05a2fb802fe5c0e210a8d233719c154c0328
SSDEEP

49152:9cUUQTLnKiVql9Bs8dKj+LFh2Hs7VcsxL2QlAQjLGi/9JNIzg6:mwHs9s8lLFxfCQ2QjLH9uJ

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

jocker02.linkpc.net:1337

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

49b2e2c622aed1aaccb8f17d500b7321.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\xKsLHgjFBHJwJAJa\\zfwkp3Bxen1q.exe\",explorer.exe"	49b2e2c622aed1aaccb8f17d500b7321.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

49b2e2c622aed1aaccb8f17d500b7321.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	49b2e2c622aed1aaccb8f17d500b7321.exe

Executes dropped EXE 1 IoCs

Processes:

LjxfafwG2u3lPRqn.exe

pid process

1728 LjxfafwG2u3lPRqn.exe

pid	process
1728	LjxfafwG2u3lPRqn.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

49b2e2c622aed1aaccb8f17d500b7321.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	49b2e2c622aed1aaccb8f17d500b7321.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	49b2e2c622aed1aaccb8f17d500b7321.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

49b2e2c622aed1aaccb8f17d500b7321.exe

pid	process
2108	49b2e2c622aed1aaccb8f17d500b7321.exe
2108	49b2e2c622aed1aaccb8f17d500b7321.exe
2108	49b2e2c622aed1aaccb8f17d500b7321.exe
2108	49b2e2c622aed1aaccb8f17d500b7321.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

49b2e2c622aed1aaccb8f17d500b7321.exe

description pid process target process

PID 1152 set thread context of 2108 1152 49b2e2c622aed1aaccb8f17d500b7321.exe 49b2e2c622aed1aaccb8f17d500b7321.exe

description	pid	process	target process
PID 1152 set thread context of 2108	1152	49b2e2c622aed1aaccb8f17d500b7321.exe	49b2e2c622aed1aaccb8f17d500b7321.exe

Drops file in Windows directory 3 IoCs

Processes:

49b2e2c622aed1aaccb8f17d500b7321.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	49b2e2c622aed1aaccb8f17d500b7321.exe
File created	C:\Windows\assembly\Desktop.ini	49b2e2c622aed1aaccb8f17d500b7321.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	49b2e2c622aed1aaccb8f17d500b7321.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3916 1152 WerFault.exe 49b2e2c622aed1aaccb8f17d500b7321.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

49b2e2c622aed1aaccb8f17d500b7321.exe

pid process

1152 49b2e2c622aed1aaccb8f17d500b7321.exe
1152 49b2e2c622aed1aaccb8f17d500b7321.exe
1152 49b2e2c622aed1aaccb8f17d500b7321.exe

pid	pid_target	process	target process
3916	1152	WerFault.exe	49b2e2c622aed1aaccb8f17d500b7321.exe

pid	process
1152	49b2e2c622aed1aaccb8f17d500b7321.exe
1152	49b2e2c622aed1aaccb8f17d500b7321.exe
1152	49b2e2c622aed1aaccb8f17d500b7321.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

49b2e2c622aed1aaccb8f17d500b7321.exe49b2e2c622aed1aaccb8f17d500b7321.exe

description	pid	process
Token: SeDebugPrivilege	1152	49b2e2c622aed1aaccb8f17d500b7321.exe
Token: 33	1152	49b2e2c622aed1aaccb8f17d500b7321.exe
Token: SeIncBasePriorityPrivilege	1152	49b2e2c622aed1aaccb8f17d500b7321.exe
Token: SeShutdownPrivilege	2108	49b2e2c622aed1aaccb8f17d500b7321.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

49b2e2c622aed1aaccb8f17d500b7321.exe

pid process

2108 49b2e2c622aed1aaccb8f17d500b7321.exe
2108 49b2e2c622aed1aaccb8f17d500b7321.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

49b2e2c622aed1aaccb8f17d500b7321.exe

description	pid	process	target process
PID 1152 wrote to memory of 1728	1152	49b2e2c622aed1aaccb8f17d500b7321.exe	LjxfafwG2u3lPRqn.exe
PID 1152 wrote to memory of 1728	1152	49b2e2c622aed1aaccb8f17d500b7321.exe	LjxfafwG2u3lPRqn.exe
PID 1152 wrote to memory of 2108	1152	49b2e2c622aed1aaccb8f17d500b7321.exe	49b2e2c622aed1aaccb8f17d500b7321.exe
PID 1152 wrote to memory of 2108	1152	49b2e2c622aed1aaccb8f17d500b7321.exe	49b2e2c622aed1aaccb8f17d500b7321.exe
PID 1152 wrote to memory of 2108	1152	49b2e2c622aed1aaccb8f17d500b7321.exe	49b2e2c622aed1aaccb8f17d500b7321.exe
PID 1152 wrote to memory of 2108	1152	49b2e2c622aed1aaccb8f17d500b7321.exe	49b2e2c622aed1aaccb8f17d500b7321.exe
PID 1152 wrote to memory of 2108	1152	49b2e2c622aed1aaccb8f17d500b7321.exe	49b2e2c622aed1aaccb8f17d500b7321.exe
PID 1152 wrote to memory of 2108	1152	49b2e2c622aed1aaccb8f17d500b7321.exe	49b2e2c622aed1aaccb8f17d500b7321.exe
PID 1152 wrote to memory of 2108	1152	49b2e2c622aed1aaccb8f17d500b7321.exe	49b2e2c622aed1aaccb8f17d500b7321.exe
PID 1152 wrote to memory of 2108	1152	49b2e2c622aed1aaccb8f17d500b7321.exe	49b2e2c622aed1aaccb8f17d500b7321.exe
PID 1152 wrote to memory of 2108	1152	49b2e2c622aed1aaccb8f17d500b7321.exe	49b2e2c622aed1aaccb8f17d500b7321.exe
PID 1152 wrote to memory of 2108	1152	49b2e2c622aed1aaccb8f17d500b7321.exe	49b2e2c622aed1aaccb8f17d500b7321.exe
PID 1152 wrote to memory of 2108	1152	49b2e2c622aed1aaccb8f17d500b7321.exe	49b2e2c622aed1aaccb8f17d500b7321.exe

C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe
"C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\LjxfafwG2u3lPRqn.exe
"C:\Users\Admin\AppData\Local\Temp\LjxfafwG2u3lPRqn.exe"
2⤵
- Executes dropped EXE
PID:1728

C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe
"C:\Users\Admin\AppData\Local\Temp\49b2e2c622aed1aaccb8f17d500b7321.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1728
2⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1152 -ip 1152
1⤵
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LjxfafwG2u3lPRqn.exe
Filesize
300KB

MD5
95440e86695cfc0ba9a15d1563759839

SHA1
9e1148f6b5ccd08941a9a6cd9587b6f563f26262

SHA256
77b45ebb6a0fadbe2deaf8785cb0c354f801d5244e3d0fd12647f467b7cfbdeb

SHA512
2db531f0949f5e570cc5adfdb2fff3598995b03070471919c2bab998c9d6098d1177011f66969a235a995aaec2a6f267100f69b0d7883aa109f9c2859e8285a1

Download Submit
memory/1152-0-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/1152-1-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/1152-2-0x00000000015A0000-0x00000000015B0000-memory.dmp

Filesize
64KB

Download
memory/1152-5-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/1152-6-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/1152-39-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/2108-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2108-30-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2108-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2108-24-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2108-25-0x0000000071370000-0x00000000713A9000-memory.dmp

Filesize
228KB

Download
memory/2108-22-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2108-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2108-29-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2108-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2108-21-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2108-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2108-32-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2108-33-0x00000000710C0000-0x00000000710F9000-memory.dmp

Filesize
228KB

Download
memory/2108-34-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2108-35-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2108-36-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2108-37-0x0000000070F10000-0x0000000070F49000-memory.dmp

Filesize
228KB

Download
memory/2108-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads