bitrat | ca05d3ab36565eac8ea1e51defde0ed20d7dfed046e00de4808d0dc71bf51973

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-01-2024 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59ae4f79e3ae6f4035777fbfa5e15688.exe
Size

2.2MB
MD5

59ae4f79e3ae6f4035777fbfa5e15688
SHA1

91314991baa2d97f9e4e22f3370f29cbde65733f
SHA256

ca05d3ab36565eac8ea1e51defde0ed20d7dfed046e00de4808d0dc71bf51973
SHA512

d05b8f69c89dbc5b92173c6a32dda989d9bd404b6562f0d92789ae7d854b44118c18b6172fc5482dd98a8e6678def8c053cb83452e1ded77f2cda026d2c263bb
SSDEEP

49152:haPNbH/WLJpZ6xCNg1TdY4zEJ0yCHAC4fHu2+ADK/k6P1y:s48CNE2wli5DQd

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.35

storage.nsupdate.info:8973

Attributes

communication_password
bf771c9d082071fe80b18bb678220682
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1688-28-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-31-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-39-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-42-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-44-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-37-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-51-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-35-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-57-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-58-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-68-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-72-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-73-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-74-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1688-75-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1688	MSBuild.exe
1688	MSBuild.exe
1688	MSBuild.exe
1688	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2920	59ae4f79e3ae6f4035777fbfa5e15688.exe
2920	59ae4f79e3ae6f4035777fbfa5e15688.exe
2920	59ae4f79e3ae6f4035777fbfa5e15688.exe
2920	59ae4f79e3ae6f4035777fbfa5e15688.exe
848	powershell.exe
2832	powershell.exe
2572	powershell.exe
2920	59ae4f79e3ae6f4035777fbfa5e15688.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1688	MSBuild.exe
Token: SeShutdownPrivilege	1688	MSBuild.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1688	MSBuild.exe
1688	MSBuild.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2572	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	30
PID 2920 wrote to memory of 2572	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	30
PID 2920 wrote to memory of 2572	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	30
PID 2920 wrote to memory of 2572	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	30
PID 2920 wrote to memory of 2832	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	32
PID 2920 wrote to memory of 2832	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	32
PID 2920 wrote to memory of 2832	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	32
PID 2920 wrote to memory of 2832	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	32
PID 2920 wrote to memory of 2820	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	33
PID 2920 wrote to memory of 2820	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	33
PID 2920 wrote to memory of 2820	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	33
PID 2920 wrote to memory of 2820	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	33
PID 2920 wrote to memory of 848	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	36
PID 2920 wrote to memory of 848	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	36
PID 2920 wrote to memory of 848	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	36
PID 2920 wrote to memory of 848	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	36
PID 2920 wrote to memory of 1992	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	38
PID 2920 wrote to memory of 1992	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	38
PID 2920 wrote to memory of 1992	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	38
PID 2920 wrote to memory of 1992	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	38
PID 2920 wrote to memory of 2504	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	39
PID 2920 wrote to memory of 2504	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	39
PID 2920 wrote to memory of 2504	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	39
PID 2920 wrote to memory of 2504	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	39
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	40
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	40
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	40
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	40
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	40
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	40
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	40
PID 2920 wrote to memory of 1688	2920	59ae4f79e3ae6f4035777fbfa5e15688.exe	40

C:\Users\Admin\AppData\Local\Temp\59ae4f79e3ae6f4035777fbfa5e15688.exe
"C:\Users\Admin\AppData\Local\Temp\59ae4f79e3ae6f4035777fbfa5e15688.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\59ae4f79e3ae6f4035777fbfa5e15688.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EqgDXdibLF.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqgDXdibLF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4605.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EqgDXdibLF.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4605.tmp

Filesize
1KB

MD5
68c7c12acd320031640ac0bf86787695

SHA1
e455537d9638bd4360cfe44b79cfab9bb8a67672

SHA256
4c40290d21a45dd221abb9b480c021d47b91822096bad32444578afed72edae1

SHA512
2f22ef3f0c432b0f21eb9ddaa52c4148114fcfbd815b1143f01e540ec3a0bcf6291412a4e5d62c0c4eabcb0bbc47202333a5c2149b6f1422b4ffdf79e46cb5d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S69H0AAXQ61IESR50O59.temp

Filesize
7KB

MD5
1bccb058858af793b8a80dc65176e35d

SHA1
f95b3aea33e0f5f7dd0bbd66ce659a4e0f073246

SHA256
178d193469a618000f7bb405aca0fa8f094dc57a1ac8d7661eb9a94cb818328b

SHA512
701d02c4d997606bc21bc793b31961bc58281e6c2c2ee37c25d4e56e41b5893cdd04e8e9e1412c4166199831ba26271ddca888f4d633b4c4119d29b4c5a11741

Download Submit
memory/848-53-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/848-47-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/848-43-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/848-40-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/848-38-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-37-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-75-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-25-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-74-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-28-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-73-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-72-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1688-31-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-39-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-42-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-44-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-58-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-57-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-51-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-35-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1688-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2572-46-0x0000000001DF0000-0x0000000001E30000-memory.dmp

Filesize
256KB

Download
memory/2572-30-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2572-50-0x0000000001DF0000-0x0000000001E30000-memory.dmp

Filesize
256KB

Download
memory/2572-49-0x0000000001DF0000-0x0000000001E30000-memory.dmp

Filesize
256KB

Download
memory/2572-54-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-52-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-27-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-36-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-33-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2832-48-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2832-45-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2920-3-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/2920-2-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/2920-41-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-4-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-5-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/2920-7-0x000000000B430000-0x000000000B5AA000-memory.dmp

Filesize
1.5MB

Download
memory/2920-1-0x0000000000FF0000-0x000000000122A000-memory.dmp

Filesize
2.2MB

Download
memory/2920-0-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-6-0x0000000005E60000-0x0000000006050000-memory.dmp

Filesize
1.9MB

Download