bitrat | a33ef1aeacaaab00c46cccf65a06b84f4d89399e53ee8aae9d0e6515a298f678

Analysis

max time kernel
142s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-02-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COPY0001.exe
Size

300.0MB
MD5

ef077d3465b442673296cee268e2973a
SHA1

438ec36e4cc7cad870740c5e926753f04baa1958
SHA256

f68ccb24ae1039fdfe224fd82d46e2a30e2b082d923c92510162218d453e2cfe
SHA512

e53eaa044e8da60afc25f785953b4272eb684391fee5ee32c8c35946c7324ef5dfd4d4cdd9a6ad71eb7c7717fa2d1f40cead8ae5c7c5273ef3a030fdd60091ed
SSDEEP

49152:YwTaSh6OnQVq2ky+jEnogf1L79QxEGIvbDmCwM4BIdN90L:fTaOsqdy1nzdLOfIvm7

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

dorimebit.duckdns.org:2030

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detects executables packed with Babel 4 IoCs

resource	yara_rule
behavioral1/memory/2504-1-0x0000000000F40000-0x0000000001154000-memory.dmp	INDICATOR_EXE_Packed_Babel
behavioral1/files/0x002500000000b1f4-33.dat	INDICATOR_EXE_Packed_Babel
behavioral1/files/0x002500000000b1f4-32.dat	INDICATOR_EXE_Packed_Babel
behavioral1/memory/2116-35-0x0000000000060000-0x0000000000274000-memory.dmp	INDICATOR_EXE_Packed_Babel

Detects executables packed with Dotfuscator 4 IoCs

resource	yara_rule
behavioral1/memory/2504-1-0x0000000000F40000-0x0000000001154000-memory.dmp	INDICATOR_EXE_Packed_Dotfuscator
behavioral1/files/0x002500000000b1f4-33.dat	INDICATOR_EXE_Packed_Dotfuscator
behavioral1/files/0x002500000000b1f4-32.dat	INDICATOR_EXE_Packed_Dotfuscator
behavioral1/memory/2116-35-0x0000000000060000-0x0000000000274000-memory.dmp	INDICATOR_EXE_Packed_Dotfuscator

Detects executables packed with Goliath 4 IoCs

resource	yara_rule
behavioral1/memory/2504-1-0x0000000000F40000-0x0000000001154000-memory.dmp	INDICATOR_EXE_Packed_Goliath
behavioral1/files/0x002500000000b1f4-33.dat	INDICATOR_EXE_Packed_Goliath
behavioral1/files/0x002500000000b1f4-32.dat	INDICATOR_EXE_Packed_Goliath
behavioral1/memory/2116-35-0x0000000000060000-0x0000000000274000-memory.dmp	INDICATOR_EXE_Packed_Goliath

Detects executables packed with SmartAssembly 4 IoCs

resource	yara_rule
behavioral1/memory/2504-1-0x0000000000F40000-0x0000000001154000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/files/0x002500000000b1f4-33.dat	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/files/0x002500000000b1f4-32.dat	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2116-35-0x0000000000060000-0x0000000000274000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Detects executables packed with dotNetProtector 4 IoCs

resource	yara_rule
behavioral1/memory/2504-1-0x0000000000F40000-0x0000000001154000-memory.dmp	INDICATOR_EXE_Packed_dotNetProtector
behavioral1/files/0x002500000000b1f4-33.dat	INDICATOR_EXE_Packed_dotNetProtector
behavioral1/files/0x002500000000b1f4-32.dat	INDICATOR_EXE_Packed_dotNetProtector
behavioral1/memory/2116-35-0x0000000000060000-0x0000000000274000-memory.dmp	INDICATOR_EXE_Packed_dotNetProtector

UPX dump on OEP (original entry point) 21 IoCs

resource	yara_rule
behavioral1/memory/776-8-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-11-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-12-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-13-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-15-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-16-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-17-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-20-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-21-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-23-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-22-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-25-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-24-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-26-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-27-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-28-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-29-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-30-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-31-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-37-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-38-0x0000000000420000-0x0000000000804000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2116	HOST.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/776-7-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-8-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-11-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-12-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-13-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-15-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-16-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-17-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-20-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-21-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-23-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-22-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-25-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-24-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-26-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-27-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-28-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-29-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-30-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-31-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-37-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-38-0x0000000000420000-0x0000000000804000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
776	RegAsm.exe
776	RegAsm.exe
776	RegAsm.exe
776	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2504 set thread context of 776	2504	COPY0001.exe	30

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1500	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	COPY0001.exe
Token: SeDebugPrivilege	776	RegAsm.exe
Token: SeShutdownPrivilege	776	RegAsm.exe
Token: SeDebugPrivilege	2116	HOST.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
776	RegAsm.exe
776	RegAsm.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 776	2504	COPY0001.exe	30
PID 2504 wrote to memory of 776	2504	COPY0001.exe	30
PID 2504 wrote to memory of 776	2504	COPY0001.exe	30
PID 2504 wrote to memory of 776	2504	COPY0001.exe	30
PID 2504 wrote to memory of 776	2504	COPY0001.exe	30
PID 2504 wrote to memory of 776	2504	COPY0001.exe	30
PID 2504 wrote to memory of 776	2504	COPY0001.exe	30
PID 2504 wrote to memory of 776	2504	COPY0001.exe	30
PID 2504 wrote to memory of 776	2504	COPY0001.exe	30
PID 2504 wrote to memory of 776	2504	COPY0001.exe	30
PID 2504 wrote to memory of 776	2504	COPY0001.exe	30
PID 2504 wrote to memory of 1512	2504	COPY0001.exe	31
PID 2504 wrote to memory of 1512	2504	COPY0001.exe	31
PID 2504 wrote to memory of 1512	2504	COPY0001.exe	31
PID 2504 wrote to memory of 1512	2504	COPY0001.exe	31
PID 2504 wrote to memory of 2736	2504	COPY0001.exe	33
PID 2504 wrote to memory of 2736	2504	COPY0001.exe	33
PID 2504 wrote to memory of 2736	2504	COPY0001.exe	33
PID 2504 wrote to memory of 2736	2504	COPY0001.exe	33
PID 2504 wrote to memory of 812	2504	COPY0001.exe	37
PID 2504 wrote to memory of 812	2504	COPY0001.exe	37
PID 2504 wrote to memory of 812	2504	COPY0001.exe	37
PID 2504 wrote to memory of 812	2504	COPY0001.exe	37
PID 2736 wrote to memory of 1500	2736	cmd.exe	36
PID 2736 wrote to memory of 1500	2736	cmd.exe	36
PID 2736 wrote to memory of 1500	2736	cmd.exe	36
PID 2736 wrote to memory of 1500	2736	cmd.exe	36
PID 2304 wrote to memory of 2116	2304	taskeng.exe	39
PID 2304 wrote to memory of 2116	2304	taskeng.exe	39
PID 2304 wrote to memory of 2116	2304	taskeng.exe	39
PID 2304 wrote to memory of 2116	2304	taskeng.exe	39

C:\Users\Admin\AppData\Local\Temp\COPY0001.exe
"C:\Users\Admin\AppData\Local\Temp\COPY0001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:776
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\HOST"
  2⤵
  PID:1512
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\HOST\HOST.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\HOST\HOST.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\COPY0001.exe" "C:\Users\Admin\AppData\Roaming\HOST\HOST.exe"
  2⤵
  PID:812

C:\Windows\system32\taskeng.exe
taskeng.exe {BF278D05-6D80-48A5-9ACB-3C63F4BDAE5B} S-1-5-21-1650401615-1019878084-3673944445-1000:UADPPTXT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Roaming\HOST\HOST.exe
  C:\Users\Admin\AppData\Roaming\HOST\HOST.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HOST\HOST.exe

Filesize
10.6MB

MD5
5820181da4825e39dfd494b80ff51442

SHA1
56f5409bb3f204538314ab55c428868838ae3dd6

SHA256
c5295e7bb94a04752695440c82ac910a9d7d636cd071d6983551eda3e6257218

SHA512
d2fc81c7416d885b5ea60020ffcc0fde94bc1606fca93e2e9adb75a8ea97f4f8fec935884c2e67f718fb97077e486b682373898fb037af8b4d637e835952c319

Download Submit
C:\Users\Admin\AppData\Roaming\HOST\HOST.exe

Filesize
11.5MB

MD5
aa91d9b04fc7e197fb88c75ffab8349c

SHA1
8dd6f7ae702f25e2e04f396402b3cc4279e7f7df

SHA256
8f14e3a2f199ff5d3888f31ba5eaffbdf878e7338b05843a1da0d5d63f5b8168

SHA512
584d647230cf9417ace73b43e1bec2f4b91b7c634a2a28b2f750ea21e043bcf059262e5558f454f94d8e1c2fa9f5f6f4d1da99bd3dbfc0446d53ad92f8812f59

Download Submit
memory/776-21-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-29-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-37-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-5-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-7-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-8-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-22-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-11-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-12-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-13-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-15-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-16-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-17-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-20-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-38-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-23-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/776-25-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-24-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-26-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-27-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-28-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-31-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-30-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/2116-34-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-35-0x0000000000060000-0x0000000000274000-memory.dmp

Filesize
2.1MB

Download
memory/2116-36-0x0000000004F50000-0x0000000004F90000-memory.dmp

Filesize
256KB

Download
memory/2504-3-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-2-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/2504-0-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-4-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/2504-1-0x0000000000F40000-0x0000000001154000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads