bitrat | 9f853c69ec51eef3b38c508c2cdfaad6230c9cac218b6c1e2c1aade3e2aaa684

Analysis

max time kernel
157s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68222440e7fab33d7b5ec1b6e2672962.exe
Size

2.6MB
MD5

68222440e7fab33d7b5ec1b6e2672962
SHA1

9e756880fc27ce0e0aa9f746039ec5fc0ca60294
SHA256

9f853c69ec51eef3b38c508c2cdfaad6230c9cac218b6c1e2c1aade3e2aaa684
SHA512

8fc00dc22e870a8e2150bd57b3e26d173a425ab1ab665b16548285489622f2a52db7487ce1a9811fc4c0328f673454be0f8a38d72a30e65727afabef04d63388
SSDEEP

49152:wvibll7s0eIB4GzdH21N9vGHE5S9H5EsHBTzPfEAuj0/XN+fX+4T38mc:wS00SGzdHAuPmKJzXEAfXcuwU

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

dns16-microsoft-health.com:80

Attributes

communication_password
1fb84c2caca11d084aafca61f7284a70
install_dir
Intel
install_file
idrvr32.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3004	68222440e7fab33d7b5ec1b6e2672962.exe
3004	68222440e7fab33d7b5ec1b6e2672962.exe
3004	68222440e7fab33d7b5ec1b6e2672962.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4864 set thread context of 3004	4864	68222440e7fab33d7b5ec1b6e2672962.exe	97

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4864	68222440e7fab33d7b5ec1b6e2672962.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3004	68222440e7fab33d7b5ec1b6e2672962.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4864	68222440e7fab33d7b5ec1b6e2672962.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 3004	4864	68222440e7fab33d7b5ec1b6e2672962.exe	97
PID 4864 wrote to memory of 3004	4864	68222440e7fab33d7b5ec1b6e2672962.exe	97
PID 4864 wrote to memory of 3004	4864	68222440e7fab33d7b5ec1b6e2672962.exe	97
PID 4864 wrote to memory of 3004	4864	68222440e7fab33d7b5ec1b6e2672962.exe	97

C:\Users\Admin\AppData\Local\Temp\68222440e7fab33d7b5ec1b6e2672962.exe
"C:\Users\Admin\AppData\Local\Temp\68222440e7fab33d7b5ec1b6e2672962.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\AppData\Local\Temp\68222440e7fab33d7b5ec1b6e2672962.exe
  "C:\Users\Admin\AppData\Local\Temp\68222440e7fab33d7b5ec1b6e2672962.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:3004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3004-36-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/3004-48-0x0000000074650000-0x0000000074689000-memory.dmp

Filesize
228KB

Download
memory/3004-47-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/3004-46-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/3004-39-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/3004-45-0x0000000077252000-0x0000000077253000-memory.dmp

Filesize
4KB

Download
memory/3004-37-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/4864-14-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-12-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-15-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-16-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-17-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-21-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-24-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-25-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-28-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download
memory/4864-30-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-32-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download
memory/4864-33-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-34-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-2-0x0000000077252000-0x0000000077253000-memory.dmp

Filesize
4KB

Download
memory/4864-13-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download
memory/4864-41-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/4864-44-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-11-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-42-0x0000000000400000-0x000000000069F000-memory.dmp

Filesize
2.6MB

Download
memory/4864-40-0x0000000074EA0000-0x0000000074FFD000-memory.dmp

Filesize
1.4MB

Download
memory/4864-10-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-38-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-35-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-9-0x0000000074EA0000-0x0000000074FFD000-memory.dmp

Filesize
1.4MB

Download
memory/4864-8-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/4864-3-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download