bitrat | 18f501c16c958abd19fafa10b1fb5baac2387a51807eb9229fa1cbe4a663b9b6

General

Target

AmazonSetup.exe
Size

2.8MB
MD5

21434ba1af9e80e0bb9d4e49e643d269
SHA1

c460ce1a3fd7c3c5af78ab01a18bc62bcf3a8c8b
SHA256

aa79d46aa459af0d46da380af6481f51369da4c4080a009028e83857dcd844f2
SHA512

012a96b51ee1cefa86c0bfca56f0fe2a0e3d7ec061fa6868184234338dd5f2329bc0de2298d4a782c3e2bdb4bd665fd373adad6f28f26c2c6439972280d9d7b8
SSDEEP

49152:AS4o6fCn0IO2N7Sb/h0vQV2vMHZYd6GZC+8qBBVRlEt73LfsL6kVOSo3dAf2doBn:AG0aw/8HWZY/A+8qvfli7fsLHgSw7G5P

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.34

C2

curtisusa.hopto.org:5215

Attributes

communication_password
ee342c2505c08512ed898d3855498f1a
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AmazonSetup.exeLIXVoWXPPCyc5Jy.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	AmazonSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	LIXVoWXPPCyc5Jy.exe

Executes dropped EXE 3 IoCs

Processes:

LIXVoWXPPCyc5Jy.exeAmazonGamesSetup.exeAmazon Games Setup.exe

pid	Process
2812	LIXVoWXPPCyc5Jy.exe
1404	AmazonGamesSetup.exe
1120	Amazon Games Setup.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3508-149-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-151-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-150-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-174-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-184-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-190-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-241-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-240-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-526-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-525-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-796-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-797-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-1235-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-1236-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-1643-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/3508-1642-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

MSBuild.exe

pid	Process
3508	MSBuild.exe
3508	MSBuild.exe
3508	MSBuild.exe
3508	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

LIXVoWXPPCyc5Jy.exe

description	pid	Process	procid_target
PID 2812 set thread context of 3508	2812	LIXVoWXPPCyc5Jy.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
2960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

LIXVoWXPPCyc5Jy.exe

pid	Process
2812	LIXVoWXPPCyc5Jy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

LIXVoWXPPCyc5Jy.exeMSBuild.exe

description	pid	Process
Token: SeDebugPrivilege	2812	LIXVoWXPPCyc5Jy.exe
Token: SeShutdownPrivilege	3508	MSBuild.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MSBuild.exe

pid	Process
3508	MSBuild.exe
3508	MSBuild.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

AmazonSetup.exeAmazonGamesSetup.exeLIXVoWXPPCyc5Jy.exe

description	pid	Process	procid_target
PID 676 wrote to memory of 2812	676	AmazonSetup.exe	83
PID 676 wrote to memory of 2812	676	AmazonSetup.exe	83
PID 676 wrote to memory of 2812	676	AmazonSetup.exe	83
PID 676 wrote to memory of 1404	676	AmazonSetup.exe	84
PID 676 wrote to memory of 1404	676	AmazonSetup.exe	84
PID 676 wrote to memory of 1404	676	AmazonSetup.exe	84
PID 1404 wrote to memory of 1120	1404	AmazonGamesSetup.exe	88
PID 1404 wrote to memory of 1120	1404	AmazonGamesSetup.exe	88
PID 1404 wrote to memory of 1120	1404	AmazonGamesSetup.exe	88
PID 2812 wrote to memory of 2960	2812	LIXVoWXPPCyc5Jy.exe	99
PID 2812 wrote to memory of 2960	2812	LIXVoWXPPCyc5Jy.exe	99
PID 2812 wrote to memory of 2960	2812	LIXVoWXPPCyc5Jy.exe	99
PID 2812 wrote to memory of 3508	2812	LIXVoWXPPCyc5Jy.exe	101
PID 2812 wrote to memory of 3508	2812	LIXVoWXPPCyc5Jy.exe	101
PID 2812 wrote to memory of 3508	2812	LIXVoWXPPCyc5Jy.exe	101
PID 2812 wrote to memory of 3508	2812	LIXVoWXPPCyc5Jy.exe	101
PID 2812 wrote to memory of 3508	2812	LIXVoWXPPCyc5Jy.exe	101
PID 2812 wrote to memory of 3508	2812	LIXVoWXPPCyc5Jy.exe	101
PID 2812 wrote to memory of 3508	2812	LIXVoWXPPCyc5Jy.exe	101

C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe
"C:\Users\Admin\AppData\Local\Temp\AmazonSetup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe
  "C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AGbGTkAzcl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7A1D.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2960
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
    "{path}"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3508
- C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe" "/nopatch"
    3⤵
    - Executes dropped EXE
    PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Amazon Games\App\Amazon Games UI\resources\static\public\core\auth-limbo-40b52b60a701b5c26a7d.css

Filesize
320KB

MD5
acf81f08b85de98eca96cc1b2bbb199a

SHA1
4c089f322370d4461ffa94097d39cc148f45c4da

SHA256
e1326b0de115e4dae4d3157f50636abd85505c0995e4131d68878fedc512498e

SHA512
9220c6162e604d05c404ea9868a3564b7691e51bf7535d1628d194d3fb7bd2391cae076e5da99f664632fc0c6acd7a0807fcb2d1b4af1e2842cfb6973e2e056b

Download Submit
C:\Users\Admin\AppData\Local\Amazon Games\Data\Logs\Native\Install_2024-07-04_03-52_0.log

Filesize
1KB

MD5
18248df6727579c071d6c1bad0ec1352

SHA1
4fab1051a855cb08d25efbe14db03fb0f702b711

SHA256
9ae38c15682d5c6dc3b218682fbe385e75a45752c0055120e8196c904647cfef

SHA512
8357657cde73ccc7d9050f28e0ed152a7b3cd12536ac33a7ddecfebf3e5ff125cf4c2b39cb212b315e0bdbfbf4286a44e28560697b7b0cdadbb727819d8c7ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Amazon Games Setup.exe

Filesize
1.9MB

MD5
3f1a9950778e30d7e742506da20c0c14

SHA1
e61f35b01bd30aeb144b9136b52239956e0f1d7e

SHA256
f6e6eb9e27a83689960f2438d86512092db2532c97d460e9b2e6a23834fa48f3

SHA512
43f84f1d28bf6ebbf338970c20ecbb153bdbf4d199d036136663c26a504d6ad454dc18cb108e90b4329c74b483e82b513462e119d1f8df01b2e926e123c38808

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmazonGamesSetup.exe

Filesize
1.8MB

MD5
02be3726c0a90958a3c30577d3b3a131

SHA1
bedbab8bd74a9d7313ba32ca033c81ec32c04706

SHA256
1a99f1054e51fe86416c59e5c526d69776fdabd7bb9831dbaab8582322121c7a

SHA512
662eaa8d3b112ef981d27832a2a46b0ecb55e2d1dcf49fe1fbd134e3c4e02758bc9ad3db2e25f53fc174e2083dd278967f405a768fdd814612c9a43bc6d1c713

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIXVoWXPPCyc5Jy.exe

Filesize
2.5MB

MD5
cef6d09b553a93f81942da9838b1ac57

SHA1
c32fbf54b54dadabbae600645c417c163234daf5

SHA256
d9aa21479a1a55d57839aee6310cd6853b2bc5215337aa72316a96f7be7ff3e5

SHA512
05ed612b7d2e14b034a391d45b578e0eda2b52be3b8eeccb3534872de61d05d95b4b3e7f10bfa01ef6913d29a24404c8cf635c804f9fbe2820321078d1007928

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A1D.tmp

Filesize
1KB

MD5
505d58183b76cac61ecf0ce485bd996a

SHA1
607fa8d4982f4fb044d4170c0f9eec5b1311115a

SHA256
069679d4327a4e0f5abe25d710169c07961a469fd98f0a2ef8277bb1168c4258

SHA512
75d0ff3be0c961d8b944c9691f87cc9a63637e342860eea225d9c3c07fb99367acfd492fa5af65bce3c4fd98fef9f09a74e3c252b898882a5b26c6d1b662b5f7

Download Submit
memory/2812-24-0x0000000073B10000-0x00000000740C1000-memory.dmp

Filesize
5.7MB

Download
memory/2812-35-0x0000000073B12000-0x0000000073B13000-memory.dmp

Filesize
4KB

Download
memory/2812-36-0x0000000073B10000-0x00000000740C1000-memory.dmp

Filesize
5.7MB

Download
memory/2812-37-0x0000000073B10000-0x00000000740C1000-memory.dmp

Filesize
5.7MB

Download
memory/2812-23-0x0000000073B10000-0x00000000740C1000-memory.dmp

Filesize
5.7MB

Download
memory/2812-159-0x0000000073B10000-0x00000000740C1000-memory.dmp

Filesize
5.7MB

Download
memory/2812-22-0x0000000073B12000-0x0000000073B13000-memory.dmp

Filesize
4KB

Download
memory/3508-190-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-526-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-174-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-181-0x0000000074A40000-0x0000000074A79000-memory.dmp

Filesize
228KB

Download
memory/3508-184-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-151-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-197-0x0000000074B30000-0x0000000074B69000-memory.dmp

Filesize
228KB

Download
memory/3508-241-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-240-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-244-0x0000000074B30000-0x0000000074B69000-memory.dmp

Filesize
228KB

Download
memory/3508-149-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-150-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-525-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-531-0x0000000074B20000-0x0000000074B59000-memory.dmp

Filesize
228KB

Download
memory/3508-796-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-797-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-798-0x0000000074B20000-0x0000000074B59000-memory.dmp

Filesize
228KB

Download
memory/3508-1235-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-1236-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-1249-0x0000000074B20000-0x0000000074B59000-memory.dmp

Filesize
228KB

Download
memory/3508-1643-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-1642-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3508-1644-0x0000000074B20000-0x0000000074B59000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads