bitrat | f6631cb0b90dad50436e54e1626d6684bb4188a451dd1168e72df5ca67583af7

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-03-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub.exe
Size

3.8MB
MD5

4443b57c1262fbc156765ba2a9019391
SHA1

b02b8b4c0ee1f8b850e420d754ef1f398c1ebf4d
SHA256

f6631cb0b90dad50436e54e1626d6684bb4188a451dd1168e72df5ca67583af7
SHA512

84e4854c82c5fbd789ce1973b73d60aef138cee9b492a693a8a9d49a24488cdc719d54a8434fdc4b8e7057be33126e09aae2f04a88d9bfbb7abb9264aa0d596d
SSDEEP

98304:d77Pmq33rE/JDLPWZADUGer7B6iY74M/emlwXVZ4FB:5+R/eZADUXR

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

103.153.182.247:6161

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
Install path
install_file
Install name
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Install name = "C:\\Users\\Admin\\AppData\\Local\\Install path\\Install name"	stub.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe

Suspicious behavior: RenamesItself 30 IoCs

pid	Process
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe
2208	stub.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	stub.exe
Token: SeShutdownPrivilege	2208	stub.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2208	stub.exe
2208	stub.exe

C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2208-0-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads