bitrat | c3bf75a13d38a48c126476948c06bdfca08ee0bb706a39c5d97f77e6c63fb8ae

General

Target

4d26e12d17a42568aa1f7d4b2f36aa3c.exe
Size

2.0MB
MD5

4d26e12d17a42568aa1f7d4b2f36aa3c
SHA1

c65c6120cb491c683d28cd7d913e062ca71acdf4
SHA256

c3bf75a13d38a48c126476948c06bdfca08ee0bb706a39c5d97f77e6c63fb8ae
SHA512

5dbecb961fd21062cc9fab5ea4ebb22563331bbfb6210b06ef38f9cf5620f26862f1e954659859afcc58d5fdf0a95e2ac968cb574618ae346f167c0e1909d2dd
SSDEEP

49152:ZTvC/MTQYxsWR7afXmpqVyBl8VaLH4QxP6Xw:ljTQYxsWR+mpqVA2YD466X

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

MyBtrpub.dynuddns.com:8889

Attributes

communication_password
cba52b50d9cf77a308a6bedcd075f95e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	drive.google.com
12	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4648	RegSvcs.exe
4648	RegSvcs.exe
4648	RegSvcs.exe
4648	RegSvcs.exe
4648	RegSvcs.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1004 set thread context of 0	1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe
PID 1004 set thread context of 4648	1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe	96

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4648	RegSvcs.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe
1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe
1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe
1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe
1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4648	RegSvcs.exe
4648	RegSvcs.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 4520	1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe	95
PID 1004 wrote to memory of 4520	1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe	95
PID 1004 wrote to memory of 4520	1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe	95
PID 1004 wrote to memory of 4520	1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe	95
PID 1004 wrote to memory of 4520	1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe	95
PID 1004 wrote to memory of 4648	1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe	96
PID 1004 wrote to memory of 4648	1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe	96
PID 1004 wrote to memory of 4648	1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe	96
PID 1004 wrote to memory of 4648	1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe	96
PID 1004 wrote to memory of 4648	1004	4d26e12d17a42568aa1f7d4b2f36aa3c.exe	96

C:\Users\Admin\AppData\Local\Temp\4d26e12d17a42568aa1f7d4b2f36aa3c.exe
"C:\Users\Admin\AppData\Local\Temp\4d26e12d17a42568aa1f7d4b2f36aa3c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:4520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4648-15-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-17-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-18-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-16-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-20-0x0000000074CA0000-0x0000000074CD9000-memory.dmp

Filesize
228KB

Download
memory/4648-21-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-27-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-28-0x0000000075020000-0x0000000075059000-memory.dmp

Filesize
228KB

Download
memory/4648-29-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-30-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-31-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-33-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-34-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-35-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-36-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-41-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-45-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-48-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-53-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-56-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-61-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-65-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-68-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-72-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-77-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download
memory/4648-81-0x0000000000720000-0x0000000000AEE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing