bitrat | 84c32cb403361a5d8d8117cf941b89c6c819ac453a0e1f411eb5c2952cc35e7c

Analysis

max time kernel
144s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a76da3ab31bd142881d3cc05b3903dba.exe
Size

1.9MB
MD5

a76da3ab31bd142881d3cc05b3903dba
SHA1

8b168865e07098254456c4bde49f0892e42ae2b1
SHA256

84c32cb403361a5d8d8117cf941b89c6c819ac453a0e1f411eb5c2952cc35e7c
SHA512

064a326303e24160ef5a27fa4843d98c1df545e5bcd077b25dfd1abd5cb7ee7a142edf4176a16ff0972ebcaada9604cd23ee14c01251c223336260669a010fff
SSDEEP

24576:CjmjQcndRKZCy2BrhCeU2i2cJijFbCBTPmiY05tJMSQp5ysA7Yg1nLkziEmTxp+x:vQmXDFBU2iIBb0xY/6sUYYRLDIP

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

79.134.225.90:4898

Attributes

communication_password
7fcc5163240be484c36ebae222f656b3
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Executes dropped EXE 2 IoCs

pid	Process
2700	NluadBjfiUwj5QXG.exe
2636	Qb2h0WPSVKYRenTO.exe

Loads dropped DLL 8 IoCs

pid	Process
2744	a76da3ab31bd142881d3cc05b3903dba.exe
2744	a76da3ab31bd142881d3cc05b3903dba.exe
2744	a76da3ab31bd142881d3cc05b3903dba.exe
2744	a76da3ab31bd142881d3cc05b3903dba.exe
2744	a76da3ab31bd142881d3cc05b3903dba.exe
2744	a76da3ab31bd142881d3cc05b3903dba.exe
2744	a76da3ab31bd142881d3cc05b3903dba.exe
2744	a76da3ab31bd142881d3cc05b3903dba.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012247-2.dat	upx
behavioral1/files/0x0009000000012247-13.dat	upx
behavioral1/files/0x0009000000012247-15.dat	upx
behavioral1/memory/2700-33-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/files/0x0009000000012247-10.dat	upx
behavioral1/memory/2744-8-0x0000000003030000-0x0000000003414000-memory.dmp	upx
behavioral1/files/0x0009000000012247-6.dat	upx
behavioral1/files/0x0009000000012247-4.dat	upx
behavioral1/memory/2700-39-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2700-42-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2700-45-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2700-46-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2700-48-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2700-50-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2700-51-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2700-53-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2700	NluadBjfiUwj5QXG.exe
2700	NluadBjfiUwj5QXG.exe
2700	NluadBjfiUwj5QXG.exe
2700	NluadBjfiUwj5QXG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	NluadBjfiUwj5QXG.exe
Token: SeShutdownPrivilege	2700	NluadBjfiUwj5QXG.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2700	NluadBjfiUwj5QXG.exe
2700	NluadBjfiUwj5QXG.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2700	2744	a76da3ab31bd142881d3cc05b3903dba.exe	28
PID 2744 wrote to memory of 2700	2744	a76da3ab31bd142881d3cc05b3903dba.exe	28
PID 2744 wrote to memory of 2700	2744	a76da3ab31bd142881d3cc05b3903dba.exe	28
PID 2744 wrote to memory of 2700	2744	a76da3ab31bd142881d3cc05b3903dba.exe	28
PID 2744 wrote to memory of 2636	2744	a76da3ab31bd142881d3cc05b3903dba.exe	29
PID 2744 wrote to memory of 2636	2744	a76da3ab31bd142881d3cc05b3903dba.exe	29
PID 2744 wrote to memory of 2636	2744	a76da3ab31bd142881d3cc05b3903dba.exe	29
PID 2744 wrote to memory of 2636	2744	a76da3ab31bd142881d3cc05b3903dba.exe	29

C:\Users\Admin\AppData\Local\Temp\a76da3ab31bd142881d3cc05b3903dba.exe
"C:\Users\Admin\AppData\Local\Temp\a76da3ab31bd142881d3cc05b3903dba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\NluadBjfiUwj5QXG.exe
  "C:\Users\Admin\AppData\Local\Temp\NluadBjfiUwj5QXG.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\Qb2h0WPSVKYRenTO.exe
  "C:\Users\Admin\AppData\Local\Temp\Qb2h0WPSVKYRenTO.exe"
  2⤵
  - Executes dropped EXE
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NluadBjfiUwj5QXG.exe

Filesize
76KB

MD5
d340cb21bd8b02cb4aa85ea3eac765c6

SHA1
a8b32b87f0bb5c0f5faa7b8ad164aa7b56afa9ca

SHA256
ce86c882c52dceaecd1ded1d253b76b5f55cab9563d25147086af370fd1448b6

SHA512
70f07a347eb7b6da607878e943994ad99ad0e5cb8aac8683466915c8bac700fb9a4206d1c8420f4044452ac6cec8b18202db21bc90b56cd73b0772284f1c5633

Download Submit
C:\Users\Admin\AppData\Local\Temp\NluadBjfiUwj5QXG.exe

Filesize
694KB

MD5
eefe577b8c6b060b1f46b6d21b83b62a

SHA1
04811e33219aef106359ed7510eaed6c1aa8fab8

SHA256
a382c6a7a164a3fb95058e26966240fae0add3fcc404a79a1840706365468ce8

SHA512
ab0125a526fa4374229a9df9669e984b6f66f094fd71e0589778485264cc04628efa41eab4598748a6ed33ae00e1806a6c12aa5e35fba780e733882f0a9d4939

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qb2h0WPSVKYRenTO.exe

Filesize
49KB

MD5
a1e91fc20cb1e027b47852fd3cfd3325

SHA1
76c6149905cafe202b1fa7b9fddfa2be68e84749

SHA256
a35968708fcce0070f787f7264a3a4bd3a694ee37762509d1244663bfc07716a

SHA512
b7593848459f6333b96e6de9b51ac679d459318cfb9351b6be1363741d82d35d48d7410024718a41d234b2d8675f169816253fada9c5386e8d81bc84c43e3fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qb2h0WPSVKYRenTO.exe

Filesize
33KB

MD5
69391ee1451801165512f0d405edb183

SHA1
86eb6d80373b4e46d70740c281c872ccc5003668

SHA256
750d60d0cffbd556a6c532c63ef0e0309e5bc4a7fa9709120e5d9f10b6c6396c

SHA512
f781eba779cae54f536ec5e3c28c65dda3bcfbc1289bcd621d93ccfc4c21289da2f4a5a31d86153a8762c87481046c7e65e2ee89f9603a8662c260a051f9bcef

Download Submit
\Users\Admin\AppData\Local\Temp\NluadBjfiUwj5QXG.exe

Filesize
658KB

MD5
5eb9c8266d0d2331b7047b35be78f0d1

SHA1
3bfd59f25602db83e062fe67cf5372553b2f9c5e

SHA256
b4864b341332b80c1448f04cbe76b7a14611022f70b96df5784c37eaba54101f

SHA512
091ef4a32d38a546294e9a614850f061b87be50c68b607fa6471740ccd5265a64002076d5ff3a266c7860e91b5326653817dfad94152060a80dd4139bab146d5

Download Submit
\Users\Admin\AppData\Local\Temp\NluadBjfiUwj5QXG.exe

Filesize
131KB

MD5
109d05a5a68620c28d0330a510c7d49d

SHA1
a913c3a283d6e777a76fbc20af42f73c1e496f2f

SHA256
9b55bec922662e0e664911ecf57b96673180006b69b396ab24c2bcae890542ed

SHA512
14c2eeb07b22fb5081f00a0e3bf581aa40c2d364f793958788e234410af38d47ecddc7291b7d5647a7ca45e845ed5d27531ff306c63ce68f3cd7b0609f65a52a

Download Submit
\Users\Admin\AppData\Local\Temp\NluadBjfiUwj5QXG.exe

Filesize
1.4MB

MD5
f212bad6a4db136aea325000f0e4bd18

SHA1
d9e0cf3f54a3f8743b99cea831c9466086466724

SHA256
0f48a240d802423a806fe0d0cb601340edb70f74997ba8053f6cd6b9b5e4b62f

SHA512
245770611329eb8ddbdf37b64af114594cc15141e13e0d098744cbe7c15cd8988f340042c8970254ba9da970ae31850ee8d1a0331fc4e5daa5089f663f08c6c3

Download Submit
\Users\Admin\AppData\Local\Temp\NluadBjfiUwj5QXG.exe

Filesize
1009KB

MD5
0443783c4c9cb2f993d1f21df932eb64

SHA1
3ff25e8ad3a7be110ee02cbf9c0e3775887c155b

SHA256
3121092e8974db421a53798b355c50591126c4403e285a46dbec8c337ffbd857

SHA512
0075eb190fd7d8be89d4068999b201e5c2982be07b8b8b2792058604454a62ef857516decb07d60f1c37a420e1153d8319a77cd3522a8d808adfcae92703744d

Download Submit
\Users\Admin\AppData\Local\Temp\Qb2h0WPSVKYRenTO.exe

Filesize
219KB

MD5
60ab706a84ebcef719682d1426e04474

SHA1
6911676b3324624935f5717a4243167d61c937d3

SHA256
175fdacc1bf745a3fc9274648cb152b0c15127f1a4441ca0346b9bc66d4acff5

SHA512
a09f224489543d0899561db16415474c5be1b600c7d0e4b01ca5367643559af5a80cdfa29220a091da7664da0edb747b2e6520a693637623756fe47f31936161

Download Submit
\Users\Admin\AppData\Local\Temp\Qb2h0WPSVKYRenTO.exe

Filesize
67KB

MD5
8c0cadd3497da519c51b8b8318a8abb4

SHA1
625275e72bb38f9816b8380137e7e4ba6101be18

SHA256
df3b9b3f3d4ff87e853ec39f311e97de63cf8051e09cf2a6330f19f07409772e

SHA512
25a91cd4749d28c4041a238477d560808c23493b269e3a1df18cfa73b3b001d31ee2344bf9a926c644d13a5741aa584804c6e71bf24304453f990f889e924959

Download Submit
\Users\Admin\AppData\Local\Temp\Qb2h0WPSVKYRenTO.exe

Filesize
23KB

MD5
224e4bf2d141c94b9583b3f6e063fc82

SHA1
803820899006d18a8a82dd2e1889b2fe1fc7e5ec

SHA256
9956339eb75eff292d463392747d84876073d82b96bad38b40bb4b0be1d5b63e

SHA512
4a9eaf4765569fab4981e8fb8ef00221047bc926a4613f287d1d87d7ffc557dae29ebf9a843a7ba4968c82f416a5b9cb8c35ca63ca830a258b712a6ba6efc714

Download Submit
memory/2636-40-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-36-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/2636-38-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/2636-37-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/2636-34-0x0000000000940000-0x000000000097E000-memory.dmp

Filesize
248KB

Download
memory/2636-35-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-39-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2700-33-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2700-42-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2700-45-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2700-46-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2700-48-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2700-50-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2700-51-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2700-53-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2744-30-0x0000000003030000-0x0000000003414000-memory.dmp

Filesize
3.9MB

Download
memory/2744-8-0x0000000003030000-0x0000000003414000-memory.dmp

Filesize
3.9MB

Download
memory/2744-17-0x0000000003030000-0x0000000003414000-memory.dmp

Filesize
3.9MB

Download