bitrat | 8bbcb07f1b37283bcc961d9712cf7ed5254356e7312b3dd6043149ccea3ecacd

General

Target

4c9ceae3c89cb93757c9114167f3b49b.exe
Size

3.7MB
MD5

4c9ceae3c89cb93757c9114167f3b49b
SHA1

5540096d48d2e8472b9cfcc6939d99f6a5951c3a
SHA256

8bbcb07f1b37283bcc961d9712cf7ed5254356e7312b3dd6043149ccea3ecacd
SHA512

3488be3e6b0e7c905ce47182f7077a11fef44bdb4f8cb543bb53e07f7c064c97abdd30ba5af0f08d4f814fd33e6f9c26c90b6a3cf5c912cab202921589b3d586
SSDEEP

49152:zHq/YPMv4pEJ3vDCLa+GP84xoTSuuTZT5zLQ3q0:zK/E44pG7CLa+GPXxoTfSnz

Score

10^/10

bitrat agilenet persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrtdollars.itsaol.com:1780

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4c9ceae3c89cb93757c9114167f3b49b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	4c9ceae3c89cb93757c9114167f3b49b.exe

Executes dropped EXE 2 IoCs

Processes:

Foxmark.exemscorsvw.exe

pid process

3472 Foxmark.exe
1720 mscorsvw.exe

pid	process
3472	Foxmark.exe
1720	mscorsvw.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/1304-6-0x00000000070A0000-0x00000000070C8000-memory.dmp	agile_net

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1720-40-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-43-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-42-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-39-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-35-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-44-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-46-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-50-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-52-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-51-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-49-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-48-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-47-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-54-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1720-55-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Foxmark = "C:\\Users\\Admin\\AppData\\Roaming\\Foxmark.exe"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

mscorsvw.exe

pid process

1720 mscorsvw.exe
1720 mscorsvw.exe
1720 mscorsvw.exe
1720 mscorsvw.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Foxmark.exe

description pid process target process

PID 3472 set thread context of 1720 3472 Foxmark.exe mscorsvw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1720	mscorsvw.exe
1720	mscorsvw.exe
1720	mscorsvw.exe
1720	mscorsvw.exe

description	pid	process	target process
PID 3472 set thread context of 1720	3472	Foxmark.exe	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

4c9ceae3c89cb93757c9114167f3b49b.exeFoxmark.exe

pid	process
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
1304	4c9ceae3c89cb93757c9114167f3b49b.exe
3472	Foxmark.exe
3472	Foxmark.exe
3472	Foxmark.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

4c9ceae3c89cb93757c9114167f3b49b.exeFoxmark.exemscorsvw.exe

description	pid	process
Token: SeDebugPrivilege	1304	4c9ceae3c89cb93757c9114167f3b49b.exe
Token: SeDebugPrivilege	3472	Foxmark.exe
Token: SeShutdownPrivilege	1720	mscorsvw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mscorsvw.exe

pid process

1720 mscorsvw.exe
1720 mscorsvw.exe

pid	process
1720	mscorsvw.exe
1720	mscorsvw.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4c9ceae3c89cb93757c9114167f3b49b.execmd.exeFoxmark.exe

description	pid	process	target process
PID 1304 wrote to memory of 3664	1304	4c9ceae3c89cb93757c9114167f3b49b.exe	cmd.exe
PID 1304 wrote to memory of 3664	1304	4c9ceae3c89cb93757c9114167f3b49b.exe	cmd.exe
PID 1304 wrote to memory of 3664	1304	4c9ceae3c89cb93757c9114167f3b49b.exe	cmd.exe
PID 3664 wrote to memory of 4736	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 4736	3664	cmd.exe	reg.exe
PID 3664 wrote to memory of 4736	3664	cmd.exe	reg.exe
PID 1304 wrote to memory of 3472	1304	4c9ceae3c89cb93757c9114167f3b49b.exe	Foxmark.exe
PID 1304 wrote to memory of 3472	1304	4c9ceae3c89cb93757c9114167f3b49b.exe	Foxmark.exe
PID 1304 wrote to memory of 3472	1304	4c9ceae3c89cb93757c9114167f3b49b.exe	Foxmark.exe
PID 3472 wrote to memory of 1720	3472	Foxmark.exe	mscorsvw.exe
PID 3472 wrote to memory of 1720	3472	Foxmark.exe	mscorsvw.exe
PID 3472 wrote to memory of 1720	3472	Foxmark.exe	mscorsvw.exe
PID 3472 wrote to memory of 1720	3472	Foxmark.exe	mscorsvw.exe
PID 3472 wrote to memory of 1720	3472	Foxmark.exe	mscorsvw.exe
PID 3472 wrote to memory of 1720	3472	Foxmark.exe	mscorsvw.exe
PID 3472 wrote to memory of 1720	3472	Foxmark.exe	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\4c9ceae3c89cb93757c9114167f3b49b.exe
"C:\Users\Admin\AppData\Local\Temp\4c9ceae3c89cb93757c9114167f3b49b.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Foxmark" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Foxmark.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Foxmark" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Foxmark.exe"
3⤵
- Adds Run key to start application
PID:4736

C:\Users\Admin\AppData\Roaming\Foxmark.exe
"C:\Users\Admin\AppData\Roaming\Foxmark.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe
"C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe
Filesize
131KB

MD5
8ea79e659da869468746abe850d67996

SHA1
c4d483ac89670539592d1b73733c25fb4fe3f574

SHA256
7d8d8696acd1815316174fba563f2e2ad0be3b5e9c6a28e237f9131a41067169

SHA512
f7d62ffa3f0cd1e3e8a163ee2d724854f749ece3169180f573ca683f2641519e8c7fc4308e0e4cc362a78f40640649d2f251ff0e35cd1e1710f810d79b7512b5

Download Submit
C:\Users\Admin\AppData\Roaming\Foxmark.exe
Filesize
361KB

MD5
ba896ced9cb2df2857ddd6267afb134e

SHA1
b4dd3f75386ead83ab8582db0b08305342236358

SHA256
ae02e8fd1b7450be811e2b4eb174350945269bafcbf213528bef6851b590856d

SHA512
7ea2fe24f93ff830d717a8aba3c24deab92be0a711a00867759bcc3d2836b62ff2e9e7b2d822fd51d15eb96ee0bcf8cc40b7a5a02f8fa071caabf60ad511a029

Download Submit
C:\Users\Admin\AppData\Roaming\Foxmark.exe
Filesize
632KB

MD5
a86bb8cf61901b41411a0a1627388695

SHA1
f51d535cf72b12b20c5c11d7f940da4a8ddc99d1

SHA256
3d53c6708beed0729517220d66802d31b9610a2ec62be1d677c090b464fcefb4

SHA512
d771ec654967a0dc9fcfb7985111d8da88db9d5c3afaf13a4113b0ca6e52e6bb55f6959a73e7435c78193c46ccb43f7990ce3320b3e31ce48289c4644eb10275

Download Submit
memory/1304-3-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/1304-4-0x0000000005A40000-0x0000000005ADC000-memory.dmp

Filesize
624KB

Download
memory/1304-5-0x0000000005BC0000-0x0000000005BD0000-memory.dmp

Filesize
64KB

Download
memory/1304-6-0x00000000070A0000-0x00000000070C8000-memory.dmp

Filesize
160KB

Download
memory/1304-7-0x00000000071B0000-0x0000000007216000-memory.dmp

Filesize
408KB

Download
memory/1304-8-0x0000000007140000-0x0000000007162000-memory.dmp

Filesize
136KB

Download
memory/1304-9-0x0000000005BC0000-0x0000000005BD0000-memory.dmp

Filesize
64KB

Download
memory/1304-10-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1304-11-0x0000000005BC0000-0x0000000005BD0000-memory.dmp

Filesize
64KB

Download
memory/1304-2-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/1304-0-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1304-25-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1304-1-0x0000000000CC0000-0x000000000106E000-memory.dmp

Filesize
3.7MB

Download
memory/1720-50-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-35-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-55-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-57-0x0000000074C40000-0x0000000074C79000-memory.dmp

Filesize
228KB

Download
memory/1720-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-54-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-47-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-40-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-43-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-42-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-48-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-39-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-49-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-51-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-44-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-45-0x00000000748A0000-0x00000000748D9000-memory.dmp

Filesize
228KB

Download
memory/1720-46-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-52-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1720-53-0x0000000074C40000-0x0000000074C79000-memory.dmp

Filesize
228KB

Download
memory/3472-26-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3472-28-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3472-27-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3472-41-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3472-33-0x0000000004A80000-0x0000000004A86000-memory.dmp

Filesize
24KB

Download
memory/3472-32-0x0000000006A60000-0x0000000006A74000-memory.dmp

Filesize
80KB

Download
memory/3472-31-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3472-30-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3472-29-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads