bitrat | f0c2e55ec391d428f5f79b270bc770f5c684414becd8d2c7f0c8fb78462b47bb

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2024, 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

STUB.exe
Size

3.8MB
MD5

08b8d6d55fa0ab4034e2080270e83fdb
SHA1

4fba6fa6251f41e381588335e7b73c77765149f9
SHA256

f0c2e55ec391d428f5f79b270bc770f5c684414becd8d2c7f0c8fb78462b47bb
SHA512

83ff113311596c16c8f6192ce7b1e03125327f225d9734074508ea9a4925e897ea6b5afbb648434082bf5d058ed442bb5993f057be407282ec20e5e6613a2beb
SSDEEP

98304:d77Pmq33rE/JDLPWZADUGer7B6iY74M/DmlwXVZ4FB:5+R/eZADUXR

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

Cluluvsu-34807.portmap.host:34807

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
install_dir
sdudir
install_file
sudir
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sudir = "C:\\Users\\Admin\\AppData\\Local\\sdudir\\sudirԀ"	STUB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sudir = "C:\\Users\\Admin\\AppData\\Local\\sdudir\\sudirЀ"	STUB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sudir = "C:\\Users\\Admin\\AppData\\Local\\sdudir\\sudir\ue000"	STUB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sudir = "C:\\Users\\Admin\\AppData\\Local\\sdudir\\sudir똀"	STUB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sudir = "C:\\Users\\Admin\\AppData\\Local\\sdudir\\sudir倀"	STUB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sudir = "C:\\Users\\Admin\\AppData\\Local\\sdudir\\sudir"	STUB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sudir = "C:\\Users\\Admin\\AppData\\Local\\sdudir\\sudir舀"	STUB.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe

Suspicious behavior: RenamesItself 30 IoCs

pid	Process
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe
3916	STUB.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3916	STUB.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3916	STUB.exe
3916	STUB.exe

C:\Users\Admin\AppData\Local\Temp\STUB.exe
"C:\Users\Admin\AppData\Local\Temp\STUB.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3916-0-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3916-1-0x0000000074A90000-0x0000000074AC9000-memory.dmp

Filesize
228KB

Download
memory/3916-2-0x0000000074A20000-0x0000000074A59000-memory.dmp

Filesize
228KB

Download
memory/3916-3-0x0000000074A20000-0x0000000074A59000-memory.dmp

Filesize
228KB

Download
memory/3916-4-0x0000000074A20000-0x0000000074A59000-memory.dmp

Filesize
228KB

Download
memory/3916-5-0x0000000074A20000-0x0000000074A59000-memory.dmp

Filesize
228KB

Download
memory/3916-6-0x0000000074A20000-0x0000000074A59000-memory.dmp

Filesize
228KB

Download
memory/3916-7-0x0000000074A20000-0x0000000074A59000-memory.dmp

Filesize
228KB

Download
memory/3916-8-0x0000000074A20000-0x0000000074A59000-memory.dmp

Filesize
228KB

Download
memory/3916-9-0x0000000074A20000-0x0000000074A59000-memory.dmp

Filesize
228KB

Download
memory/3916-10-0x0000000074A20000-0x0000000074A59000-memory.dmp

Filesize
228KB

Download
memory/3916-11-0x0000000074A20000-0x0000000074A59000-memory.dmp

Filesize
228KB

Download
memory/3916-12-0x0000000074A20000-0x0000000074A59000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads