bitrat | 03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f33bacbd78bf143a1f8a52b1f8b4cde.exe
Size

3.2MB
MD5

7f33bacbd78bf143a1f8a52b1f8b4cde
SHA1

97ce3f3084b8db04be526422bf9a1feb0d476e25
SHA256

03957e1a76e380308206465031a99a1db9e7afce4b82e021f0f8f94888b791b2
SHA512

c4dd06b99cbe62a1eb3119bdbfac096f9e54328873d8b26b7139ecd89b9ad51c83d97afed519fb81ff9b94fe2df3cbb3c746cec8ed2722af797c4a03d8e5ea08
SSDEEP

98304:TKC6+yhQD2OYZGQRticLcM1cVr9D0mDpg84G:+CpYQClrRIcLcMir9DrDp

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

snkno.duckdns.org:43413

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/3784-7-0x00000000050E0000-0x00000000050F2000-memory.dmp	CustAttr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7f33bacbd78bf143a1f8a52b1f8b4cde.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	7f33bacbd78bf143a1f8a52b1f8b4cde.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

7f33bacbd78bf143a1f8a52b1f8b4cde.exe

pid	process
4044	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
4044	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
4044	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
4044	7f33bacbd78bf143a1f8a52b1f8b4cde.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7f33bacbd78bf143a1f8a52b1f8b4cde.exe

description pid process target process

PID 3784 set thread context of 4044 3784 7f33bacbd78bf143a1f8a52b1f8b4cde.exe 7f33bacbd78bf143a1f8a52b1f8b4cde.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4468 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7f33bacbd78bf143a1f8a52b1f8b4cde.exe

pid process

3784 7f33bacbd78bf143a1f8a52b1f8b4cde.exe
3784 7f33bacbd78bf143a1f8a52b1f8b4cde.exe

description	pid	process	target process
PID 3784 set thread context of 4044	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe

pid	process
4468	schtasks.exe

pid	process
3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7f33bacbd78bf143a1f8a52b1f8b4cde.exe7f33bacbd78bf143a1f8a52b1f8b4cde.exe

description	pid	process
Token: SeDebugPrivilege	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
Token: SeShutdownPrivilege	4044	7f33bacbd78bf143a1f8a52b1f8b4cde.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

7f33bacbd78bf143a1f8a52b1f8b4cde.exe

pid process

4044 7f33bacbd78bf143a1f8a52b1f8b4cde.exe
4044 7f33bacbd78bf143a1f8a52b1f8b4cde.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

7f33bacbd78bf143a1f8a52b1f8b4cde.exe

C:\Users\Admin\AppData\Local\Temp\7f33bacbd78bf143a1f8a52b1f8b4cde.exe
"C:\Users\Admin\AppData\Local\Temp\7f33bacbd78bf143a1f8a52b1f8b4cde.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WZTuVE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27B7.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4468
- C:\Users\Admin\AppData\Local\Temp\7f33bacbd78bf143a1f8a52b1f8b4cde.exe
  "C:\Users\Admin\AppData\Local\Temp\7f33bacbd78bf143a1f8a52b1f8b4cde.exe"
  2⤵
  PID:516
- C:\Users\Admin\AppData\Local\Temp\7f33bacbd78bf143a1f8a52b1f8b4cde.exe
  "C:\Users\Admin\AppData\Local\Temp\7f33bacbd78bf143a1f8a52b1f8b4cde.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp27B7.tmp

Filesize
1KB

MD5
4715ac65091f9898ce0c2c384e22ad20

SHA1
6ee367bdbdcfe62e7118b9ed731cd069fd452587

SHA256
7ee0e52f1755df99b30f7936bcacaa25088ef11e28d540dc35852fc4c13e0304

SHA512
329be46743ddb066b6200089b7ad4570a7d317f7b79b1191443203464493fc80c732e9914ed7e8d0b1973da85a94b66e4bd8092155b07135dc0ca67e54dc751d

Download Submit
memory/3784-6-0x0000000005380000-0x000000000541C000-memory.dmp

Filesize
624KB

Download
memory/3784-2-0x00000000056B0000-0x0000000005C54000-memory.dmp

Filesize
5.6MB

Download
memory/3784-3-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/3784-4-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3784-5-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/3784-22-0x0000000075130000-0x00000000758E0000-memory.dmp

Filesize
7.7MB

Download
memory/3784-7-0x00000000050E0000-0x00000000050F2000-memory.dmp

Filesize
72KB

Download
memory/3784-8-0x0000000075130000-0x00000000758E0000-memory.dmp

Filesize
7.7MB

Download
memory/3784-9-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3784-10-0x0000000007810000-0x0000000007A92000-memory.dmp

Filesize
2.5MB

Download
memory/3784-11-0x0000000009D40000-0x000000000A108000-memory.dmp

Filesize
3.8MB

Download
memory/3784-1-0x0000000000380000-0x00000000006B4000-memory.dmp

Filesize
3.2MB

Download
memory/3784-0-0x0000000075130000-0x00000000758E0000-memory.dmp

Filesize
7.7MB

Download
memory/4044-29-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-36-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-19-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-21-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-24-0x0000000075040000-0x0000000075079000-memory.dmp

Filesize
228KB

Download
memory/4044-25-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-17-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-30-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-32-0x0000000075420000-0x0000000075459000-memory.dmp

Filesize
228KB

Download
memory/4044-33-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-34-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-35-0x0000000075420000-0x0000000075459000-memory.dmp

Filesize
228KB

Download
memory/4044-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-38-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-39-0x0000000075420000-0x0000000075459000-memory.dmp

Filesize
228KB

Download
memory/4044-40-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-41-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-42-0x0000000075420000-0x0000000075459000-memory.dmp

Filesize
228KB

Download
memory/4044-43-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-45-0x0000000075420000-0x0000000075459000-memory.dmp

Filesize
228KB

Download
memory/4044-46-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-47-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-48-0x0000000075420000-0x0000000075459000-memory.dmp

Filesize
228KB

Download
memory/4044-49-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-50-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-51-0x0000000075420000-0x0000000075459000-memory.dmp

Filesize
228KB

Download
memory/4044-52-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-53-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4044-54-0x0000000075420000-0x0000000075459000-memory.dmp

Filesize
228KB

Download

description	pid	process	target process
PID 3784 wrote to memory of 4468	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	schtasks.exe
PID 3784 wrote to memory of 4468	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	schtasks.exe
PID 3784 wrote to memory of 4468	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	schtasks.exe
PID 3784 wrote to memory of 516	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
PID 3784 wrote to memory of 516	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
PID 3784 wrote to memory of 516	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
PID 3784 wrote to memory of 4044	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
PID 3784 wrote to memory of 4044	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
PID 3784 wrote to memory of 4044	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
PID 3784 wrote to memory of 4044	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
PID 3784 wrote to memory of 4044	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
PID 3784 wrote to memory of 4044	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
PID 3784 wrote to memory of 4044	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
PID 3784 wrote to memory of 4044	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
PID 3784 wrote to memory of 4044	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
PID 3784 wrote to memory of 4044	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe
PID 3784 wrote to memory of 4044	3784	7f33bacbd78bf143a1f8a52b1f8b4cde.exe	7f33bacbd78bf143a1f8a52b1f8b4cde.exe