bitrat | f6631cb0b90dad50436e54e1626d6684bb4188a451dd1168e72df5ca67583af7

General

Target

stub.exe
Size

3.8MB
MD5

4443b57c1262fbc156765ba2a9019391
SHA1

b02b8b4c0ee1f8b850e420d754ef1f398c1ebf4d
SHA256

f6631cb0b90dad50436e54e1626d6684bb4188a451dd1168e72df5ca67583af7
SHA512

84e4854c82c5fbd789ce1973b73d60aef138cee9b492a693a8a9d49a24488cdc719d54a8434fdc4b8e7057be33126e09aae2f04a88d9bfbb7abb9264aa0d596d
SSDEEP

98304:d77Pmq33rE/JDLPWZADUGer7B6iY74M/emlwXVZ4FB:5+R/eZADUXR

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

103.153.182.247:6161

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
Install path
install_file
Install name
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

stub.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Install name = "C:\\Users\\Admin\\AppData\\Local\\Install path\\Install nameȀ"	stub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Install name = "C:\\Users\\Admin\\AppData\\Local\\Install path\\Install name"	stub.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

stub.exe

pid process

100 stub.exe
100 stub.exe
100 stub.exe
100 stub.exe
NTFS ADS 1 IoCs

Processes:

stub.exe

description ioc process

File created C:\Users\Admin\AppData\Local:28-03-2024 stub.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local:28-03-2024	stub.exe

Suspicious behavior: RenamesItself 64 IoCs

Processes:

stub.exe

pid	process
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

stub.exe

description pid process

Token: SeShutdownPrivilege 100 stub.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

stub.exe

pid process

100 stub.exe
100 stub.exe

description	pid	process
Token: SeShutdownPrivilege	100	stub.exe

C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/100-0-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/100-1-0x0000000074B70000-0x0000000074BA9000-memory.dmp

Filesize
228KB

Download
memory/100-2-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-3-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-4-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-5-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-6-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-7-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-8-0x0000000074B70000-0x0000000074BA9000-memory.dmp

Filesize
228KB

Download
memory/100-9-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-10-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-12-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-13-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-14-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-15-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-16-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-17-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-18-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-25-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-26-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-27-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-34-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-35-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-36-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-37-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-38-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-39-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-40-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-41-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-42-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-43-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-44-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-51-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-52-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-53-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-60-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-61-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-62-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-63-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-64-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-65-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-66-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-67-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-68-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-69-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-70-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-71-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-72-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-73-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads