bitrat | 3cc446d6a658ce7bdf67387d6df73888b2f5ea0a3955f2c11ebdeaec4d589517

General

Target

7a0723aff075673ef855b4e615207dfd.exe
Size

3.6MB
MD5

7a0723aff075673ef855b4e615207dfd
SHA1

aa3c1654b4abefe9831f6b60866253b4b8436fe0
SHA256

3cc446d6a658ce7bdf67387d6df73888b2f5ea0a3955f2c11ebdeaec4d589517
SHA512

344444ca7d681f86f0707e5e788c7d20dadbcf8c69cc5afd8a5136e78848737003e5f8320356bd25d0773fb90e3ec0fe2c55d32e6923e43640b6ce204c4ade7c
SSDEEP

98304:XTjwlh++gsHbQN/muXMxx2FKPv2QXMojZ5nYu3zSXYwREF0aQ:XTjKz7gF42kWQXMIjnYu+ow7J

Score

10^/10

bitrat blister loader trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

139.28.219.45:443

Attributes

communication_password
a76d949640a165da25ccfe9a8fd82c8a
tor_process
tor

Signatures

BLISTER
BLISTER is a downloader used to deliver other malware families.
loader blister
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect Blister loader x32 2 IoCs

loader

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\bibs_work\WMVCORE.DLL	family_blister_x32
behavioral1/memory/2484-3-0x000000002BD90000-0x000000002C26E000-memory.dmp	family_blister_x32

Loads dropped DLL 1 IoCs

Processes:

7a0723aff075673ef855b4e615207dfd.exe

pid process

2484 7a0723aff075673ef855b4e615207dfd.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

WerFault.exe

pid process

2772 WerFault.exe

pid	process
2484	7a0723aff075673ef855b4e615207dfd.exe

pid	process
2772	WerFault.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

7a0723aff075673ef855b4e615207dfd.exe

description	pid	process	target process
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 set thread context of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\ProgramData\Helps_Config\Helps_Config.exe	nsis_installer_1
C:\ProgramData\Helps_Config\Helps_Config.exe	nsis_installer_2

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 2772 WerFault.exe
Token: SeShutdownPrivilege 2772 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	2772	WerFault.exe
Token: SeShutdownPrivilege	2772	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7a0723aff075673ef855b4e615207dfd.exe

description	pid	process	target process
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe
PID 2484 wrote to memory of 2772	2484	7a0723aff075673ef855b4e615207dfd.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\7a0723aff075673ef855b4e615207dfd.exe
"C:\Users\Admin\AppData\Local\Temp\7a0723aff075673ef855b4e615207dfd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\System32\WerFault.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:2392

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Helps_Config\Helps_Config.exe
Filesize
98KB

MD5
20276b114ccaa585d544e73ad5589d32

SHA1
1fade936ac52a5d41135926c572cbb19583e6233

SHA256
d3bd6d21538fc29c87bddddd5964a47eaab0d4792d8d7dc45391ce4c51ccc090

SHA512
24c51f3794ff1d0b76dae5495a3c45f875d490708bb6be098e1333076cebd3431e5ead867c2ebd054ae4e438c81b55b31ce35bcd21f95102d66d8442dad13972

Download Submit
\Users\Admin\AppData\Local\Temp\bibs_work\WMVCORE.DLL
Filesize
4.9MB

MD5
88fba76c3a7eb0f785903de05fb0bd06

SHA1
35f452a43a838cbad695d596b2cad144cc115074

SHA256
8c981acb2673fa80fa39aa2ba9b1916cb9866b5e8f9ec1cc98bc7fed36b49c61

SHA512
f0bfb7e85de0834c3a3a8448ba4d218d28608b3634bed24590a30e91acb51632b01b09f3734547bca383c8d69a8e4c754337fa7d44a274c458fca04d21c29876

Download Submit
memory/2484-3-0x000000002BD90000-0x000000002C26E000-memory.dmp

Filesize
4.9MB

Download
memory/2772-8-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2772-16-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads