bitrat | b693010f3f342fb06dd959f2553b7937d5daeaf9b4b7fd800ed5a9a6d8a099e7

Analysis

max time kernel
23s
max time network
17s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SQLi v.8.5.exe
Size

12.7MB
MD5

d887c03a2d230dc196c8b3ac47030b9e
SHA1

b4d08bf36841ffdeb0750455021a707804f8d509
SHA256

b693010f3f342fb06dd959f2553b7937d5daeaf9b4b7fd800ed5a9a6d8a099e7
SHA512

6cee30d2448b930504f0933ca04e7f30fb3e1f2924d490146c0168308298d222cf5eb83885da405ba8fcd92b7f4979e23b4f9c706c936df5bfb52d2819022072
SSDEEP

196608:OhzlOFCwaHNFrXW+YrDkx/NNYz7vPmHpBt:2zMCwaHNlXW+Y/kx/TyPmj

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.34

80.85.156.209:8080

Attributes

communication_password
ae5eb824ef87499f644c3f11a7176157
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Executes dropped EXE 3 IoCs

pid	Process
2272	0.exe
3020	pebloso.exe
2584	pebloso.exe

Loads dropped DLL 3 IoCs

pid	Process
108	SQLi v.8.5.exe
108	SQLi v.8.5.exe
3020	pebloso.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2584-24-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-25-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-23-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-21-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-28-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-34-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-35-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-37-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-38-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-40-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-41-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-43-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-46-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-44-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-47-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-49-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-50-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-52-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-53-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-54-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-58-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-68-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-75-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-77-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-79-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-83-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-85-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-90-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-88-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-96-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-102-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-94-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-93-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-91-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-87-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-81-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-80-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-73-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-72-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-97-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-99-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-100-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2584-145-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\shwifty = "C:\\users\\Admin\\AppData\\Local\\Temp\\shwifty.exe"	pebloso.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
4	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2584	pebloso.exe
2584	pebloso.exe
2584	pebloso.exe
2584	pebloso.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3020 set thread context of 2584	3020	pebloso.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local:02-06-2024	pebloso.exe
File opened for modification	C:\Users\Admin\AppData\Local:02-06-2024	pebloso.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2272	0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2584	pebloso.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	0.exe
Token: SeDebugPrivilege	2584	pebloso.exe
Token: SeShutdownPrivilege	2584	pebloso.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
108	SQLi v.8.5.exe
108	SQLi v.8.5.exe
2584	pebloso.exe
2584	pebloso.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2272	108	SQLi v.8.5.exe	28
PID 108 wrote to memory of 2272	108	SQLi v.8.5.exe	28
PID 108 wrote to memory of 2272	108	SQLi v.8.5.exe	28
PID 108 wrote to memory of 2272	108	SQLi v.8.5.exe	28
PID 108 wrote to memory of 3020	108	SQLi v.8.5.exe	29
PID 108 wrote to memory of 3020	108	SQLi v.8.5.exe	29
PID 108 wrote to memory of 3020	108	SQLi v.8.5.exe	29
PID 108 wrote to memory of 3020	108	SQLi v.8.5.exe	29
PID 3020 wrote to memory of 2584	3020	pebloso.exe	31
PID 3020 wrote to memory of 2584	3020	pebloso.exe	31
PID 3020 wrote to memory of 2584	3020	pebloso.exe	31
PID 3020 wrote to memory of 2584	3020	pebloso.exe	31
PID 3020 wrote to memory of 2584	3020	pebloso.exe	31
PID 3020 wrote to memory of 2584	3020	pebloso.exe	31

C:\Users\Admin\AppData\Local\Temp\SQLi v.8.5.exe
"C:\Users\Admin\AppData\Local\Temp\SQLi v.8.5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Local\Temp\0.exe
  "C:\Users\Admin\AppData\Local\Temp\0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Users\Admin\AppData\Local\Temp\pebloso.exe
  "C:\Users\Admin\AppData\Local\Temp\pebloso.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\pebloso.exe
    "C:\Users\Admin\AppData\Local\Temp\pebloso.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - NTFS ADS
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\0.exe

Filesize
2.3MB

MD5
f558500b09118c2d5482c0097d41b986

SHA1
ebdd90df103acb0a28a46b4affde511f5b0bb6d0

SHA256
4081a78ba280d28c56551983e515486a1dacf9ba26a3e76a71060982cc9e5ed7

SHA512
d4bfd969d7e8e0ff7aedf55ea69398ced8bd81dd2bde7e87a79d6890fa4b38d0275ceb8c72e20336d97bff2252cd904e27f8023b93dacf961d7345d18e0e7441

Download Submit
\Users\Admin\AppData\Local\Temp\pebloso.exe

Filesize
6.2MB

MD5
4d28de913b4b1e07f75c75e3cdd75add

SHA1
ce6735e3a3b68b904bda4ea150adfed689b8d18a

SHA256
e43d70c273c8c083b5368e6c8dfd74e403a3f6b5e263609497940bb94ecc6f01

SHA512
ea7bc0621977f6a9833c28945c41681c065073fb8b63e44118d772f0132dea60c6ed2c5129cb6072d5e315ee82e512bc54686adace9aa979e443b7803aa41a1a

Download Submit
memory/108-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/108-14-0x0000000000400000-0x00000000010C1000-memory.dmp

Filesize
12.8MB

Download
memory/2272-12-0x00000000003F0000-0x000000000064A000-memory.dmp

Filesize
2.4MB

Download
memory/2584-18-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-24-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-25-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-23-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-21-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-28-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-34-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-35-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-37-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-38-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-40-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-41-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-43-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-46-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-44-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-47-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-49-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-50-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-52-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-53-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-54-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-58-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-75-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-77-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-79-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-83-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-85-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-90-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-88-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-96-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-102-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-94-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-93-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-91-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-87-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-81-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-80-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-73-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-72-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-97-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-99-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-100-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2584-145-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3020-26-0x0000000000400000-0x0000000000A8E000-memory.dmp

Filesize
6.6MB

Download