bitrat | 2b590ae0dbb1cfe013c780beaad0401d7fc483c9d5f453cf23b79faa7adfd67f

General

Target

d825fa02ed9b209b329dfd2eb8bfc29a.exe
Size

3.5MB
MD5

d825fa02ed9b209b329dfd2eb8bfc29a
SHA1

a504da00ac20b1b5c7e8a375e18ebd210fb3d3f5
SHA256

2b590ae0dbb1cfe013c780beaad0401d7fc483c9d5f453cf23b79faa7adfd67f
SHA512

9008ee92c62d2c81efc89bfca9c606083dd39aedc9057062c194d9a5f0aa566010f5fa8c369fb4e4f69275466acbc571159933efd45f89d52bc58182ece94fbc
SSDEEP

49152:vLVwb6UKSZrEW33E+pNfwJEqNsAjYQcXaD+2GVxo85odrpxeyprdY8Q1ZLKx:vLxQF6TjhGVaTBmh

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.30

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2908-19-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-20-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-21-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-24-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-26-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-28-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-29-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-32-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-31-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-30-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-33-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-35-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-34-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-36-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-37-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-38-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-39-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-40-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat
behavioral1/memory/2908-41-0x0000000000400000-0x000000000079E000-memory.dmp	family_bitrat

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

d825fa02ed9b209b329dfd2eb8bfc29a.exe

pid	process
2908	d825fa02ed9b209b329dfd2eb8bfc29a.exe
2908	d825fa02ed9b209b329dfd2eb8bfc29a.exe
2908	d825fa02ed9b209b329dfd2eb8bfc29a.exe
2908	d825fa02ed9b209b329dfd2eb8bfc29a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d825fa02ed9b209b329dfd2eb8bfc29a.exe

description pid process target process

PID 2112 set thread context of 2908 2112 d825fa02ed9b209b329dfd2eb8bfc29a.exe d825fa02ed9b209b329dfd2eb8bfc29a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2524 schtasks.exe

description	pid	process	target process
PID 2112 set thread context of 2908	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	d825fa02ed9b209b329dfd2eb8bfc29a.exe

pid	process
2524	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d825fa02ed9b209b329dfd2eb8bfc29a.exe

description	pid	process
Token: SeDebugPrivilege	2908	d825fa02ed9b209b329dfd2eb8bfc29a.exe
Token: SeShutdownPrivilege	2908	d825fa02ed9b209b329dfd2eb8bfc29a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d825fa02ed9b209b329dfd2eb8bfc29a.exe

pid process

2908 d825fa02ed9b209b329dfd2eb8bfc29a.exe
2908 d825fa02ed9b209b329dfd2eb8bfc29a.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

d825fa02ed9b209b329dfd2eb8bfc29a.exe

C:\Users\Admin\AppData\Local\Temp\d825fa02ed9b209b329dfd2eb8bfc29a.exe
"C:\Users\Admin\AppData\Local\Temp\d825fa02ed9b209b329dfd2eb8bfc29a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNmCBdixl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDDB2.tmp"
2⤵
- Creates scheduled task(s)
PID:2524

C:\Users\Admin\AppData\Local\Temp\d825fa02ed9b209b329dfd2eb8bfc29a.exe
"C:\Users\Admin\AppData\Local\Temp\d825fa02ed9b209b329dfd2eb8bfc29a.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2908

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDDB2.tmp
Filesize
1KB

MD5
4b1edae2f1c1025c946b0fd3962534d1

SHA1
89599f02aa840edb1a54a233722e343286d2d9c4

SHA256
3992daca03cfda12317bd97a6fe33c6b0a668fe94a2d08747352a02c054fd712

SHA512
b1f85be895ef6ebae9929700d795a2fd8eaa9752082e2687c1d056b70af470b7b07fff0d03f30c95331c1e0bfe986c1cc377da0e98b1d3b5bf7e599d522b166e

Download Submit
memory/2112-0-0x0000000000F10000-0x0000000001292000-memory.dmp

Filesize
3.5MB

Download
memory/2112-1-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-2-0x00000000071C0000-0x0000000007514000-memory.dmp

Filesize
3.3MB

Download
memory/2112-3-0x0000000004700000-0x0000000004740000-memory.dmp

Filesize
256KB

Download
memory/2112-4-0x000000000CC80000-0x000000000CC88000-memory.dmp

Filesize
32KB

Download
memory/2112-5-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2112-6-0x0000000004700000-0x0000000004740000-memory.dmp

Filesize
256KB

Download
memory/2112-7-0x000000000F7D0000-0x000000000FB22000-memory.dmp

Filesize
3.3MB

Download
memory/2112-8-0x000000000FB20000-0x000000000FEE6000-memory.dmp

Filesize
3.8MB

Download
memory/2112-27-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2908-32-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-19-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-20-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-21-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-16-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-24-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-26-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-14-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-28-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-29-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-18-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-31-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-30-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-33-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-35-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-34-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-36-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-37-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-38-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-39-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-40-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/2908-41-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download

description	pid	process	target process
PID 2112 wrote to memory of 2524	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	schtasks.exe
PID 2112 wrote to memory of 2524	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	schtasks.exe
PID 2112 wrote to memory of 2524	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	schtasks.exe
PID 2112 wrote to memory of 2524	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	schtasks.exe
PID 2112 wrote to memory of 2908	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	d825fa02ed9b209b329dfd2eb8bfc29a.exe
PID 2112 wrote to memory of 2908	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	d825fa02ed9b209b329dfd2eb8bfc29a.exe
PID 2112 wrote to memory of 2908	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	d825fa02ed9b209b329dfd2eb8bfc29a.exe
PID 2112 wrote to memory of 2908	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	d825fa02ed9b209b329dfd2eb8bfc29a.exe
PID 2112 wrote to memory of 2908	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	d825fa02ed9b209b329dfd2eb8bfc29a.exe
PID 2112 wrote to memory of 2908	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	d825fa02ed9b209b329dfd2eb8bfc29a.exe
PID 2112 wrote to memory of 2908	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	d825fa02ed9b209b329dfd2eb8bfc29a.exe
PID 2112 wrote to memory of 2908	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	d825fa02ed9b209b329dfd2eb8bfc29a.exe
PID 2112 wrote to memory of 2908	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	d825fa02ed9b209b329dfd2eb8bfc29a.exe
PID 2112 wrote to memory of 2908	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	d825fa02ed9b209b329dfd2eb8bfc29a.exe
PID 2112 wrote to memory of 2908	2112	d825fa02ed9b209b329dfd2eb8bfc29a.exe	d825fa02ed9b209b329dfd2eb8bfc29a.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads