bitrat | f6631cb0b90dad50436e54e1626d6684bb4188a451dd1168e72df5ca67583af7

Analysis

max time kernel
1800s
max time network
1805s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub.exe
Size

3.8MB
MD5

4443b57c1262fbc156765ba2a9019391
SHA1

b02b8b4c0ee1f8b850e420d754ef1f398c1ebf4d
SHA256

f6631cb0b90dad50436e54e1626d6684bb4188a451dd1168e72df5ca67583af7
SHA512

84e4854c82c5fbd789ce1973b73d60aef138cee9b492a693a8a9d49a24488cdc719d54a8434fdc4b8e7057be33126e09aae2f04a88d9bfbb7abb9264aa0d596d
SSDEEP

98304:d77Pmq33rE/JDLPWZADUGer7B6iY74M/emlwXVZ4FB:5+R/eZADUXR

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

103.153.182.247:6161

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
Install path
install_file
Install name
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Install name = "C:\\Users\\Admin\\AppData\\Local\\Install path\\Install nameȀ"	stub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Install name = "C:\\Users\\Admin\\AppData\\Local\\Install path\\Install name"	stub.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local:28-03-2024	stub.exe

Suspicious behavior: RenamesItself 64 IoCs

pid	Process
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe
100	stub.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	100	stub.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
100	stub.exe
100	stub.exe

C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/100-0-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/100-1-0x0000000074B70000-0x0000000074BA9000-memory.dmp

Filesize
228KB

Download
memory/100-2-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-3-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-4-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-5-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-6-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-7-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-8-0x0000000074B70000-0x0000000074BA9000-memory.dmp

Filesize
228KB

Download
memory/100-9-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-10-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-12-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-13-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-14-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-15-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-16-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-17-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-18-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-25-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-26-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-27-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-34-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-35-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-36-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-37-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-38-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-39-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-40-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-41-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-42-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-43-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-44-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-51-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-52-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-53-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-60-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-61-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-62-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-63-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-64-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-65-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-66-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-67-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-68-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-69-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-70-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-71-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-72-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download
memory/100-73-0x0000000074AA0000-0x0000000074AD9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads