bitrat | ca4744fdad8ea57a09b0fe0e09be4e90fcfcfd923708ec8546c3c4ba009b8839

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-03-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07-20-21INVOICES.exe
Size

1.7MB
MD5

bdcdb05af6a2ac95bb13857ab6b6debc
SHA1

93999f28d1c8391d60830be5202233b63db93301
SHA256

09df08b715bf11a0bc6cb5cdc5cd724927ba6c6a18ca2896f153d9b424196767
SHA512

7a25c9768a0181bf3000c56d8f739a1835aa9114761a20e7d8ed21318467556acc26e183e832b907122fe2f2c32ab1750ccb3d016a2abead43955ad7050f73e5
SSDEEP

49152:7jr8QuQLqpb0/udMUNPlam4t1Uyru4YNsbN:7nhuQWb0/uWUNPlL4t1dNYUN

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

eewe.ddns.net:2880

Attributes

communication_password
b18aba2f7c3bf981f4caba4a41e6b205
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2584-5-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-7-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-8-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-9-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-10-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-11-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-12-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-13-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-14-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-16-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-18-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-19-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-20-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-21-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-30-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-31-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-32-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-34-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-35-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-36-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-37-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-38-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-39-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-41-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-42-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-43-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-44-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-45-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-46-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-48-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-49-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-50-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-51-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-52-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-53-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-55-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-57-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-58-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-59-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2584	07-20-21INVOICES.exe
2584	07-20-21INVOICES.exe
2584	07-20-21INVOICES.exe
2584	07-20-21INVOICES.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2992 set thread context of 2584	2992	07-20-21INVOICES.exe	28

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	07-20-21INVOICES.exe
Token: SeShutdownPrivilege	2584	07-20-21INVOICES.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2584	07-20-21INVOICES.exe
2584	07-20-21INVOICES.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2584	2992	07-20-21INVOICES.exe	28
PID 2992 wrote to memory of 2584	2992	07-20-21INVOICES.exe	28
PID 2992 wrote to memory of 2584	2992	07-20-21INVOICES.exe	28
PID 2992 wrote to memory of 2584	2992	07-20-21INVOICES.exe	28
PID 2992 wrote to memory of 2584	2992	07-20-21INVOICES.exe	28
PID 2992 wrote to memory of 2584	2992	07-20-21INVOICES.exe	28
PID 2992 wrote to memory of 2584	2992	07-20-21INVOICES.exe	28
PID 2992 wrote to memory of 2584	2992	07-20-21INVOICES.exe	28
PID 2992 wrote to memory of 2584	2992	07-20-21INVOICES.exe	28

C:\Users\Admin\AppData\Local\Temp\07-20-21INVOICES.exe
"C:\Users\Admin\AppData\Local\Temp\07-20-21INVOICES.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\07-20-21INVOICES.exe
  "C:\Users\Admin\AppData\Local\Temp\07-20-21INVOICES.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2584-35-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-5-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-34-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-7-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-8-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-9-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-10-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-11-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-32-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-13-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-58-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-16-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-18-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-19-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-20-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-21-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-30-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-31-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-12-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-57-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-14-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-36-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-37-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-38-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-39-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-41-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-42-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-43-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-44-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-45-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-46-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-48-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-49-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-50-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-51-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-52-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-53-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-55-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2992-1-0x0000000004C80000-0x0000000004DF3000-memory.dmp

Filesize
1.4MB

Download
memory/2992-0-0x0000000004C80000-0x0000000004DF3000-memory.dmp

Filesize
1.4MB

Download
memory/2992-4-0x0000000004E00000-0x0000000004F73000-memory.dmp

Filesize
1.4MB

Download