bitrat | 1eb852ea8cdd3be460ae959a012a1e2122435d7e9b6196c5eacd2bf7f92b0f83

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub.exe
Size

3.8MB
MD5

b68f66b5f2a41de572a784d603eaa230
SHA1

7ba4f34b08e472351d0f73f01cfca3d54de48689
SHA256

1eb852ea8cdd3be460ae959a012a1e2122435d7e9b6196c5eacd2bf7f92b0f83
SHA512

d6195c4ef4ffa11b5f5f5c539fd1df95b79bef6702035f82355d165459351dd6bb25b57cbe8075cca71b7f5db37c1362371420e7e94b229ac72ed2cf72b46409
SSDEEP

98304:d77Pmq33rE/JDLPWZADUGer7B6iY74M/rmlwXVZ4FB:5+R/eZADUXR

Score

10^/10

bitrat discovery persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

IP:Port

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
Install path
install_file
Install name
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

stub.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Install name = "C:\\Users\\Admin\\AppData\\Local\\Install path\\Install name"	stub.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

stub.exe

pid process

2568 stub.exe
2568 stub.exe
2568 stub.exe
2568 stub.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

stub.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stub.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stub.exe

Suspicious behavior: RenamesItself 29 IoCs

Processes:

stub.exe

pid	process
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe
2568	stub.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

stub.exe

description pid process

Token: SeDebugPrivilege 2568 stub.exe
Token: SeShutdownPrivilege 2568 stub.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

stub.exe

pid process

2568 stub.exe
2568 stub.exe

description	pid	process
Token: SeDebugPrivilege	2568	stub.exe
Token: SeShutdownPrivilege	2568	stub.exe

C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2568-0-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2568-1-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2568-3-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2568-4-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2568-6-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2568-7-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2568-9-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2568-10-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2568-12-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2568-13-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download