bitrat | 4714811e90e7eb3fa08b27a95639c3bd8a836669749b28f9c0f24361e7ebe6ee

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
21-03-2024 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dad4c7318b46644d7aa14a336281b2c5.exe
Size

3.4MB
MD5

dad4c7318b46644d7aa14a336281b2c5
SHA1

c0d76328d93a27eeb8b6b321703a889a095f8e18
SHA256

4714811e90e7eb3fa08b27a95639c3bd8a836669749b28f9c0f24361e7ebe6ee
SHA512

f178c5726b45220d8f5cc4ba324dba34733595e849061a3301eaa997acea6e179c4dee77ebb548e9ebae6c366aec09ecdf144729172c8b557a7ef3932fced833
SSDEEP

49152:G8HIQk6JZi5RQxF+XWIzXy8H+OUrm9JQHSPopLWPcZgtI1WARZNaDRlGovw8:GfQDURkIzdZJQ+oRWEZwEWARYGf

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

snkno.duckdns.org:43413

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral1/memory/2188-3-0x0000000000440000-0x0000000000452000-memory.dmp	CustAttr

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2788	dad4c7318b46644d7aa14a336281b2c5.exe
2788	dad4c7318b46644d7aa14a336281b2c5.exe
2788	dad4c7318b46644d7aa14a336281b2c5.exe
2788	dad4c7318b46644d7aa14a336281b2c5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2188 set thread context of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2812	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	dad4c7318b46644d7aa14a336281b2c5.exe
Token: SeShutdownPrivilege	2788	dad4c7318b46644d7aa14a336281b2c5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2788	dad4c7318b46644d7aa14a336281b2c5.exe
2788	dad4c7318b46644d7aa14a336281b2c5.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2812	2188	dad4c7318b46644d7aa14a336281b2c5.exe	28
PID 2188 wrote to memory of 2812	2188	dad4c7318b46644d7aa14a336281b2c5.exe	28
PID 2188 wrote to memory of 2812	2188	dad4c7318b46644d7aa14a336281b2c5.exe	28
PID 2188 wrote to memory of 2812	2188	dad4c7318b46644d7aa14a336281b2c5.exe	28
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	30
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	30
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	30
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	30
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	30
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	30
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	30
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	30
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	30
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	30
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	30
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	30

C:\Users\Admin\AppData\Local\Temp\dad4c7318b46644d7aa14a336281b2c5.exe
"C:\Users\Admin\AppData\Local\Temp\dad4c7318b46644d7aa14a336281b2c5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WnlKRotuGIbp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB04C.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\dad4c7318b46644d7aa14a336281b2c5.exe
  "C:\Users\Admin\AppData\Local\Temp\dad4c7318b46644d7aa14a336281b2c5.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB04C.tmp

Filesize
1KB

MD5
36d182fc174b83d136f25fcb747a47e6

SHA1
081e544f2d8a7ece1caeb8194cad626a7fae15ed

SHA256
3702e320d701ac330f688b5b70331485c0104127492cee50ee1d659175ff02b8

SHA512
42f26fc4206c6d7e633a51f8cfbe2739203586a6ee6578d10c0b21e016eb21f8fc648695eee7b2412d71151fa767a216eb56d14836c4abafa03e4fae234f8c19

Download Submit
memory/2188-26-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-0-0x0000000000990000-0x0000000000CFE000-memory.dmp

Filesize
3.4MB

Download
memory/2188-2-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/2188-3-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2188-4-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-5-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/2188-6-0x0000000009770000-0x0000000009A86000-memory.dmp

Filesize
3.1MB

Download
memory/2188-7-0x000000000BA90000-0x000000000BE58000-memory.dmp

Filesize
3.8MB

Download
memory/2188-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2788-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-33-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-17-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-19-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2788-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-25-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-15-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-13-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-30-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-32-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-16-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-34-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-35-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-36-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-38-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-39-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-40-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-41-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-42-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-43-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-45-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-46-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-47-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-48-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads