bitrat | 42c77364cebcb01102a85a8bb9a053a0e01d633c2e9710256e9d174a9f67effd

General

Target

cb1210c9515e3e6bf5716048cb7ba3cf.exe
Size

2.1MB
MD5

cb1210c9515e3e6bf5716048cb7ba3cf
SHA1

9a57f751a71a63ac9b998a6a19b7a38b96349e53
SHA256

42c77364cebcb01102a85a8bb9a053a0e01d633c2e9710256e9d174a9f67effd
SHA512

ee6ca757e4dec2230255c26f66dfb20e225e22581e3c90359f168e976a5e12250ed24dd5305b6c59a673036841cedce682601fef5f4c9304843571c941c96990
SSDEEP

49152:1kIxSRHorTDMyDmFscevbcd/Fkl1DI8wGLSK4Erm8jJE3hGJGYRV6O37PckR1h:1k8SeDMbFs3Ad/FUIyHpcMhn1370kR1

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

gotti.ddnsgeek.com:8088

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

cb1210c9515e3e6bf5716048cb7ba3cf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\oiqjWh2890agfhgW\\badmOsjhHZCI.exe\",explorer.exe"	cb1210c9515e3e6bf5716048cb7ba3cf.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

vbc.exe

pid process

2900 vbc.exe
2900 vbc.exe
2900 vbc.exe
2900 vbc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

cb1210c9515e3e6bf5716048cb7ba3cf.exe

description pid process target process

PID 2204 set thread context of 2900 2204 cb1210c9515e3e6bf5716048cb7ba3cf.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

cb1210c9515e3e6bf5716048cb7ba3cf.exe

pid process

2204 cb1210c9515e3e6bf5716048cb7ba3cf.exe

pid	process
2900	vbc.exe
2900	vbc.exe
2900	vbc.exe
2900	vbc.exe

description	pid	process	target process
PID 2204 set thread context of 2900	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe

pid	process
2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

cb1210c9515e3e6bf5716048cb7ba3cf.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe
Token: SeDebugPrivilege	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe
Token: SeDebugPrivilege	2900	vbc.exe
Token: SeShutdownPrivilege	2900	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exe

pid process

2900 vbc.exe
2900 vbc.exe

pid	process
2900	vbc.exe
2900	vbc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cb1210c9515e3e6bf5716048cb7ba3cf.exe

description	pid	process	target process
PID 2204 wrote to memory of 2900	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 2204 wrote to memory of 2900	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 2204 wrote to memory of 2900	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 2204 wrote to memory of 2900	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 2204 wrote to memory of 2900	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 2204 wrote to memory of 2900	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 2204 wrote to memory of 2900	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 2204 wrote to memory of 2900	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 2204 wrote to memory of 2900	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 2204 wrote to memory of 2900	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 2204 wrote to memory of 2900	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe
PID 2204 wrote to memory of 2900	2204	cb1210c9515e3e6bf5716048cb7ba3cf.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\cb1210c9515e3e6bf5716048cb7ba3cf.exe
"C:\Users\Admin\AppData\Local\Temp\cb1210c9515e3e6bf5716048cb7ba3cf.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2204-0-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download
memory/2204-2-0x00000000004C0000-0x0000000000500000-memory.dmp

Filesize
256KB

Download
memory/2204-1-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download
memory/2204-29-0x00000000004C0000-0x0000000000500000-memory.dmp

Filesize
256KB

Download
memory/2204-28-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-24-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-9-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-10-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-11-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2900-14-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-17-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-19-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-22-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-7-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-25-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-8-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-6-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-5-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-32-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-33-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-38-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-39-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-42-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-43-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-48-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-49-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2900-50-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads