bitrat | 4714811e90e7eb3fa08b27a95639c3bd8a836669749b28f9c0f24361e7ebe6ee

General

Target

dad4c7318b46644d7aa14a336281b2c5.exe
Size

3.4MB
MD5

dad4c7318b46644d7aa14a336281b2c5
SHA1

c0d76328d93a27eeb8b6b321703a889a095f8e18
SHA256

4714811e90e7eb3fa08b27a95639c3bd8a836669749b28f9c0f24361e7ebe6ee
SHA512

f178c5726b45220d8f5cc4ba324dba34733595e849061a3301eaa997acea6e179c4dee77ebb548e9ebae6c366aec09ecdf144729172c8b557a7ef3932fced833
SSDEEP

49152:G8HIQk6JZi5RQxF+XWIzXy8H+OUrm9JQHSPopLWPcZgtI1WARZNaDRlGovw8:GfQDURkIzdZJQ+oRWEZwEWARYGf

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

snkno.duckdns.org:43413

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/2188-3-0x0000000000440000-0x0000000000452000-memory.dmp	CustAttr

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

dad4c7318b46644d7aa14a336281b2c5.exe

pid	process
2788	dad4c7318b46644d7aa14a336281b2c5.exe
2788	dad4c7318b46644d7aa14a336281b2c5.exe
2788	dad4c7318b46644d7aa14a336281b2c5.exe
2788	dad4c7318b46644d7aa14a336281b2c5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dad4c7318b46644d7aa14a336281b2c5.exe

description pid process target process

PID 2188 set thread context of 2788 2188 dad4c7318b46644d7aa14a336281b2c5.exe dad4c7318b46644d7aa14a336281b2c5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2812 schtasks.exe

description	pid	process	target process
PID 2188 set thread context of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	dad4c7318b46644d7aa14a336281b2c5.exe

pid	process
2812	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dad4c7318b46644d7aa14a336281b2c5.exe

description	pid	process
Token: SeDebugPrivilege	2788	dad4c7318b46644d7aa14a336281b2c5.exe
Token: SeShutdownPrivilege	2788	dad4c7318b46644d7aa14a336281b2c5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dad4c7318b46644d7aa14a336281b2c5.exe

pid process

2788 dad4c7318b46644d7aa14a336281b2c5.exe
2788 dad4c7318b46644d7aa14a336281b2c5.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

dad4c7318b46644d7aa14a336281b2c5.exe

C:\Users\Admin\AppData\Local\Temp\dad4c7318b46644d7aa14a336281b2c5.exe
"C:\Users\Admin\AppData\Local\Temp\dad4c7318b46644d7aa14a336281b2c5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WnlKRotuGIbp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB04C.tmp"
2⤵
- Creates scheduled task(s)
PID:2812

C:\Users\Admin\AppData\Local\Temp\dad4c7318b46644d7aa14a336281b2c5.exe
"C:\Users\Admin\AppData\Local\Temp\dad4c7318b46644d7aa14a336281b2c5.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB04C.tmp
Filesize
1KB

MD5
36d182fc174b83d136f25fcb747a47e6

SHA1
081e544f2d8a7ece1caeb8194cad626a7fae15ed

SHA256
3702e320d701ac330f688b5b70331485c0104127492cee50ee1d659175ff02b8

SHA512
42f26fc4206c6d7e633a51f8cfbe2739203586a6ee6578d10c0b21e016eb21f8fc648695eee7b2412d71151fa767a216eb56d14836c4abafa03e4fae234f8c19

Download Submit
memory/2188-26-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-0-0x0000000000990000-0x0000000000CFE000-memory.dmp

Filesize
3.4MB

Download
memory/2188-2-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/2188-3-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2188-4-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-5-0x0000000004E60000-0x0000000004EA0000-memory.dmp

Filesize
256KB

Download
memory/2188-6-0x0000000009770000-0x0000000009A86000-memory.dmp

Filesize
3.1MB

Download
memory/2188-7-0x000000000BA90000-0x000000000BE58000-memory.dmp

Filesize
3.8MB

Download
memory/2188-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2788-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-33-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-17-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-19-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2788-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-25-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-15-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-13-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-30-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-32-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-16-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-34-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-35-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-36-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-38-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-39-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-40-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-41-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-42-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-43-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-45-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-46-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-47-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-48-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

description	pid	process	target process
PID 2188 wrote to memory of 2812	2188	dad4c7318b46644d7aa14a336281b2c5.exe	schtasks.exe
PID 2188 wrote to memory of 2812	2188	dad4c7318b46644d7aa14a336281b2c5.exe	schtasks.exe
PID 2188 wrote to memory of 2812	2188	dad4c7318b46644d7aa14a336281b2c5.exe	schtasks.exe
PID 2188 wrote to memory of 2812	2188	dad4c7318b46644d7aa14a336281b2c5.exe	schtasks.exe
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	dad4c7318b46644d7aa14a336281b2c5.exe
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	dad4c7318b46644d7aa14a336281b2c5.exe
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	dad4c7318b46644d7aa14a336281b2c5.exe
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	dad4c7318b46644d7aa14a336281b2c5.exe
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	dad4c7318b46644d7aa14a336281b2c5.exe
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	dad4c7318b46644d7aa14a336281b2c5.exe
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	dad4c7318b46644d7aa14a336281b2c5.exe
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	dad4c7318b46644d7aa14a336281b2c5.exe
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	dad4c7318b46644d7aa14a336281b2c5.exe
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	dad4c7318b46644d7aa14a336281b2c5.exe
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	dad4c7318b46644d7aa14a336281b2c5.exe
PID 2188 wrote to memory of 2788	2188	dad4c7318b46644d7aa14a336281b2c5.exe	dad4c7318b46644d7aa14a336281b2c5.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads