bitrat | a33ef1aeacaaab00c46cccf65a06b84f4d89399e53ee8aae9d0e6515a298f678

General

Target

COPY0001.exe
Size

300.0MB
MD5

ef077d3465b442673296cee268e2973a
SHA1

438ec36e4cc7cad870740c5e926753f04baa1958
SHA256

f68ccb24ae1039fdfe224fd82d46e2a30e2b082d923c92510162218d453e2cfe
SHA512

e53eaa044e8da60afc25f785953b4272eb684391fee5ee32c8c35946c7324ef5dfd4d4cdd9a6ad71eb7c7717fa2d1f40cead8ae5c7c5273ef3a030fdd60091ed
SSDEEP

49152:YwTaSh6OnQVq2ky+jEnogf1L79QxEGIvbDmCwM4BIdN90L:fTaOsqdy1nzdLOfIvm7

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

dorimebit.duckdns.org:2030

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detects executables packed with Babel 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2504-1-0x0000000000F40000-0x0000000001154000-memory.dmp	INDICATOR_EXE_Packed_Babel
C:\Users\Admin\AppData\Roaming\HOST\HOST.exe	INDICATOR_EXE_Packed_Babel
C:\Users\Admin\AppData\Roaming\HOST\HOST.exe	INDICATOR_EXE_Packed_Babel
behavioral1/memory/2116-35-0x0000000000060000-0x0000000000274000-memory.dmp	INDICATOR_EXE_Packed_Babel

Detects executables packed with Dotfuscator 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2504-1-0x0000000000F40000-0x0000000001154000-memory.dmp	INDICATOR_EXE_Packed_Dotfuscator
C:\Users\Admin\AppData\Roaming\HOST\HOST.exe	INDICATOR_EXE_Packed_Dotfuscator
C:\Users\Admin\AppData\Roaming\HOST\HOST.exe	INDICATOR_EXE_Packed_Dotfuscator
behavioral1/memory/2116-35-0x0000000000060000-0x0000000000274000-memory.dmp	INDICATOR_EXE_Packed_Dotfuscator

Detects executables packed with Goliath 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2504-1-0x0000000000F40000-0x0000000001154000-memory.dmp	INDICATOR_EXE_Packed_Goliath
C:\Users\Admin\AppData\Roaming\HOST\HOST.exe	INDICATOR_EXE_Packed_Goliath
C:\Users\Admin\AppData\Roaming\HOST\HOST.exe	INDICATOR_EXE_Packed_Goliath
behavioral1/memory/2116-35-0x0000000000060000-0x0000000000274000-memory.dmp	INDICATOR_EXE_Packed_Goliath

Detects executables packed with SmartAssembly 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2504-1-0x0000000000F40000-0x0000000001154000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
C:\Users\Admin\AppData\Roaming\HOST\HOST.exe	INDICATOR_EXE_Packed_SmartAssembly
C:\Users\Admin\AppData\Roaming\HOST\HOST.exe	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2116-35-0x0000000000060000-0x0000000000274000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Detects executables packed with dotNetProtector 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2504-1-0x0000000000F40000-0x0000000001154000-memory.dmp	INDICATOR_EXE_Packed_dotNetProtector
C:\Users\Admin\AppData\Roaming\HOST\HOST.exe	INDICATOR_EXE_Packed_dotNetProtector
C:\Users\Admin\AppData\Roaming\HOST\HOST.exe	INDICATOR_EXE_Packed_dotNetProtector
behavioral1/memory/2116-35-0x0000000000060000-0x0000000000274000-memory.dmp	INDICATOR_EXE_Packed_dotNetProtector

UPX dump on OEP (original entry point) 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/776-8-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-11-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-12-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-13-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-15-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-16-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-17-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-20-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-21-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-23-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-22-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-25-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-24-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-26-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-27-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-28-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-29-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-30-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-31-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-37-0x0000000000420000-0x0000000000804000-memory.dmp	UPX
behavioral1/memory/776-38-0x0000000000420000-0x0000000000804000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

Processes:

HOST.exe

pid process

2116 HOST.exe

pid	process
2116	HOST.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/776-7-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-8-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-11-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-12-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-13-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-15-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-16-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-17-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-20-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-21-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-23-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-22-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-25-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-24-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-26-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-27-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-28-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-29-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-30-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-31-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-37-0x0000000000420000-0x0000000000804000-memory.dmp	upx
behavioral1/memory/776-38-0x0000000000420000-0x0000000000804000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

RegAsm.exe

pid process

776 RegAsm.exe
776 RegAsm.exe
776 RegAsm.exe
776 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

COPY0001.exe

description pid process target process

PID 2504 set thread context of 776 2504 COPY0001.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1500 schtasks.exe

pid	process
776	RegAsm.exe
776	RegAsm.exe
776	RegAsm.exe
776	RegAsm.exe

description	pid	process	target process
PID 2504 set thread context of 776	2504	COPY0001.exe	RegAsm.exe

pid	process
1500	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

COPY0001.exeRegAsm.exeHOST.exe

description	pid	process
Token: SeDebugPrivilege	2504	COPY0001.exe
Token: SeDebugPrivilege	776	RegAsm.exe
Token: SeShutdownPrivilege	776	RegAsm.exe
Token: SeDebugPrivilege	2116	HOST.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

776 RegAsm.exe
776 RegAsm.exe

pid	process
776	RegAsm.exe
776	RegAsm.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

COPY0001.execmd.exetaskeng.exe

description	pid	process	target process
PID 2504 wrote to memory of 776	2504	COPY0001.exe	RegAsm.exe
PID 2504 wrote to memory of 776	2504	COPY0001.exe	RegAsm.exe
PID 2504 wrote to memory of 776	2504	COPY0001.exe	RegAsm.exe
PID 2504 wrote to memory of 776	2504	COPY0001.exe	RegAsm.exe
PID 2504 wrote to memory of 776	2504	COPY0001.exe	RegAsm.exe
PID 2504 wrote to memory of 776	2504	COPY0001.exe	RegAsm.exe
PID 2504 wrote to memory of 776	2504	COPY0001.exe	RegAsm.exe
PID 2504 wrote to memory of 776	2504	COPY0001.exe	RegAsm.exe
PID 2504 wrote to memory of 776	2504	COPY0001.exe	RegAsm.exe
PID 2504 wrote to memory of 776	2504	COPY0001.exe	RegAsm.exe
PID 2504 wrote to memory of 776	2504	COPY0001.exe	RegAsm.exe
PID 2504 wrote to memory of 1512	2504	COPY0001.exe	cmd.exe
PID 2504 wrote to memory of 1512	2504	COPY0001.exe	cmd.exe
PID 2504 wrote to memory of 1512	2504	COPY0001.exe	cmd.exe
PID 2504 wrote to memory of 1512	2504	COPY0001.exe	cmd.exe
PID 2504 wrote to memory of 2736	2504	COPY0001.exe	cmd.exe
PID 2504 wrote to memory of 2736	2504	COPY0001.exe	cmd.exe
PID 2504 wrote to memory of 2736	2504	COPY0001.exe	cmd.exe
PID 2504 wrote to memory of 2736	2504	COPY0001.exe	cmd.exe
PID 2504 wrote to memory of 812	2504	COPY0001.exe	cmd.exe
PID 2504 wrote to memory of 812	2504	COPY0001.exe	cmd.exe
PID 2504 wrote to memory of 812	2504	COPY0001.exe	cmd.exe
PID 2504 wrote to memory of 812	2504	COPY0001.exe	cmd.exe
PID 2736 wrote to memory of 1500	2736	cmd.exe	schtasks.exe
PID 2736 wrote to memory of 1500	2736	cmd.exe	schtasks.exe
PID 2736 wrote to memory of 1500	2736	cmd.exe	schtasks.exe
PID 2736 wrote to memory of 1500	2736	cmd.exe	schtasks.exe
PID 2304 wrote to memory of 2116	2304	taskeng.exe	HOST.exe
PID 2304 wrote to memory of 2116	2304	taskeng.exe	HOST.exe
PID 2304 wrote to memory of 2116	2304	taskeng.exe	HOST.exe
PID 2304 wrote to memory of 2116	2304	taskeng.exe	HOST.exe

C:\Users\Admin\AppData\Local\Temp\COPY0001.exe
"C:\Users\Admin\AppData\Local\Temp\COPY0001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:776

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\HOST"
2⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\HOST\HOST.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\HOST\HOST.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\COPY0001.exe" "C:\Users\Admin\AppData\Roaming\HOST\HOST.exe"
2⤵
PID:812

C:\Windows\system32\taskeng.exe
taskeng.exe {BF278D05-6D80-48A5-9ACB-3C63F4BDAE5B} S-1-5-21-1650401615-1019878084-3673944445-1000:UADPPTXT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Users\Admin\AppData\Roaming\HOST\HOST.exe
C:\Users\Admin\AppData\Roaming\HOST\HOST.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HOST\HOST.exe
Filesize
10.6MB

MD5
5820181da4825e39dfd494b80ff51442

SHA1
56f5409bb3f204538314ab55c428868838ae3dd6

SHA256
c5295e7bb94a04752695440c82ac910a9d7d636cd071d6983551eda3e6257218

SHA512
d2fc81c7416d885b5ea60020ffcc0fde94bc1606fca93e2e9adb75a8ea97f4f8fec935884c2e67f718fb97077e486b682373898fb037af8b4d637e835952c319

Download Submit
C:\Users\Admin\AppData\Roaming\HOST\HOST.exe
Filesize
11.5MB

MD5
aa91d9b04fc7e197fb88c75ffab8349c

SHA1
8dd6f7ae702f25e2e04f396402b3cc4279e7f7df

SHA256
8f14e3a2f199ff5d3888f31ba5eaffbdf878e7338b05843a1da0d5d63f5b8168

SHA512
584d647230cf9417ace73b43e1bec2f4b91b7c634a2a28b2f750ea21e043bcf059262e5558f454f94d8e1c2fa9f5f6f4d1da99bd3dbfc0446d53ad92f8812f59

Download Submit
memory/776-21-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-29-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-37-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-5-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-7-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-8-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-22-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-11-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-12-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-13-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-15-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-16-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-17-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-20-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-38-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-23-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/776-25-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-24-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-26-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-27-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-28-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-31-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/776-30-0x0000000000420000-0x0000000000804000-memory.dmp

Filesize
3.9MB

Download
memory/2116-34-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-35-0x0000000000060000-0x0000000000274000-memory.dmp

Filesize
2.1MB

Download
memory/2116-36-0x0000000004F50000-0x0000000004F90000-memory.dmp

Filesize
256KB

Download
memory/2504-3-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-2-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/2504-0-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-4-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/2504-1-0x0000000000F40000-0x0000000001154000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads