bitrat | ca05d3ab36565eac8ea1e51defde0ed20d7dfed046e00de4808d0dc71bf51973

General

Target

59ae4f79e3ae6f4035777fbfa5e15688.exe
Size

2.2MB
MD5

59ae4f79e3ae6f4035777fbfa5e15688
SHA1

91314991baa2d97f9e4e22f3370f29cbde65733f
SHA256

ca05d3ab36565eac8ea1e51defde0ed20d7dfed046e00de4808d0dc71bf51973
SHA512

d05b8f69c89dbc5b92173c6a32dda989d9bd404b6562f0d92789ae7d854b44118c18b6172fc5482dd98a8e6678def8c053cb83452e1ded77f2cda026d2c263bb
SSDEEP

49152:haPNbH/WLJpZ6xCNg1TdY4zEJ0yCHAC4fHu2+ADK/k6P1y:s48CNE2wli5DQd

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.35

C2

storage.nsupdate.info:8973

Attributes

communication_password
bf771c9d082071fe80b18bb678220682
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1688-28-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-31-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-39-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-42-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-44-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-37-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-51-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-35-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-57-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-58-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-68-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-72-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-73-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-74-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-75-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

MSBuild.exe

pid process

1688 MSBuild.exe
1688 MSBuild.exe
1688 MSBuild.exe
1688 MSBuild.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

59ae4f79e3ae6f4035777fbfa5e15688.exe

description pid process target process

PID 2920 set thread context of 1688 2920 59ae4f79e3ae6f4035777fbfa5e15688.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2820 schtasks.exe

pid	process
1688	MSBuild.exe
1688	MSBuild.exe
1688	MSBuild.exe
1688	MSBuild.exe

description	pid	process	target process
PID 2920 set thread context of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe

pid	process
2820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

59ae4f79e3ae6f4035777fbfa5e15688.exepowershell.exepowershell.exepowershell.exe

pid	process
2920	59ae4f79e3ae6f4035777fbfa5e15688.exe
2920	59ae4f79e3ae6f4035777fbfa5e15688.exe
2920	59ae4f79e3ae6f4035777fbfa5e15688.exe
2920	59ae4f79e3ae6f4035777fbfa5e15688.exe
848	powershell.exe
2832	powershell.exe
2572	powershell.exe
2920	59ae4f79e3ae6f4035777fbfa5e15688.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

59ae4f79e3ae6f4035777fbfa5e15688.exepowershell.exepowershell.exepowershell.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1688	MSBuild.exe
Token: SeShutdownPrivilege	1688	MSBuild.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MSBuild.exe

pid process

1688 MSBuild.exe
1688 MSBuild.exe

pid	process
1688	MSBuild.exe
1688	MSBuild.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

59ae4f79e3ae6f4035777fbfa5e15688.exe

description	pid	process	target process
PID 2920 wrote to memory of 2572	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	powershell.exe
PID 2920 wrote to memory of 2572	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	powershell.exe
PID 2920 wrote to memory of 2572	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	powershell.exe
PID 2920 wrote to memory of 2572	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	powershell.exe
PID 2920 wrote to memory of 2832	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	powershell.exe
PID 2920 wrote to memory of 2832	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	powershell.exe
PID 2920 wrote to memory of 2832	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	powershell.exe
PID 2920 wrote to memory of 2832	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	powershell.exe
PID 2920 wrote to memory of 2820	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	schtasks.exe
PID 2920 wrote to memory of 2820	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	schtasks.exe
PID 2920 wrote to memory of 2820	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	schtasks.exe
PID 2920 wrote to memory of 2820	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	schtasks.exe
PID 2920 wrote to memory of 848	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	powershell.exe
PID 2920 wrote to memory of 848	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	powershell.exe
PID 2920 wrote to memory of 848	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	powershell.exe
PID 2920 wrote to memory of 848	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	powershell.exe
PID 2920 wrote to memory of 1992	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 1992	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 1992	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 1992	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 2504	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 2504	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 2504	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 2504	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\59ae4f79e3ae6f4035777fbfa5e15688.exe
"C:\Users\Admin\AppData\Local\Temp\59ae4f79e3ae6f4035777fbfa5e15688.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\59ae4f79e3ae6f4035777fbfa5e15688.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EqgDXdibLF.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqgDXdibLF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4605.tmp"
2⤵
- Creates scheduled task(s)
PID:2820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EqgDXdibLF.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4605.tmp
Filesize
1KB

MD5
68c7c12acd320031640ac0bf86787695

SHA1
e455537d9638bd4360cfe44b79cfab9bb8a67672

SHA256
4c40290d21a45dd221abb9b480c021d47b91822096bad32444578afed72edae1

SHA512
2f22ef3f0c432b0f21eb9ddaa52c4148114fcfbd815b1143f01e540ec3a0bcf6291412a4e5d62c0c4eabcb0bbc47202333a5c2149b6f1422b4ffdf79e46cb5d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S69H0AAXQ61IESR50O59.temp
Filesize
7KB

MD5
1bccb058858af793b8a80dc65176e35d

SHA1
f95b3aea33e0f5f7dd0bbd66ce659a4e0f073246

SHA256
178d193469a618000f7bb405aca0fa8f094dc57a1ac8d7661eb9a94cb818328b

SHA512
701d02c4d997606bc21bc793b31961bc58281e6c2c2ee37c25d4e56e41b5893cdd04e8e9e1412c4166199831ba26271ddca888f4d633b4c4119d29b4c5a11741

Download Submit
memory/848-53-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/848-47-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/848-43-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/848-40-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/848-38-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-37-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-75-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-25-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-74-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-28-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-73-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-72-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1688-31-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-39-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-42-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-44-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-58-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-57-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-51-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-35-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2572-46-0x0000000001DF0000-0x0000000001E30000-memory.dmp

Filesize
256KB

Download
memory/2572-30-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2572-50-0x0000000001DF0000-0x0000000001E30000-memory.dmp

Filesize
256KB

Download
memory/2572-49-0x0000000001DF0000-0x0000000001E30000-memory.dmp

Filesize
256KB

Download
memory/2572-54-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-52-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-27-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-36-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-33-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2832-48-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2832-45-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2920-3-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/2920-2-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/2920-41-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-4-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-5-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/2920-7-0x000000000B430000-0x000000000B5AA000-memory.dmp

Filesize
1.5MB

Download
memory/2920-1-0x0000000000FF0000-0x000000000122A000-memory.dmp

Filesize
2.2MB

Download
memory/2920-0-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-6-0x0000000005E60000-0x0000000006050000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads