bitrat | a2af34ebcde526aa98df7040bad86bd7b7a3bc70ed343187bcc9e490447d3662

General

Target

BitRat Cracked.rar
Size

61.5MB
MD5

69e70ea13901ae86789b3455813a1334
SHA1

3e9e1d9948b23b8fa21650b51e941155bcc068c8
SHA256

a2af34ebcde526aa98df7040bad86bd7b7a3bc70ed343187bcc9e490447d3662
SHA512

c500fd9cc2b50330e7ba6ec590f6bf61c18d665c737b743cf218226db18e067b0221f4c6771ab954ebdd1a3faa891480e0da2fbd364a60fda0eb86fce9fb3be5
SSDEEP

1572864:rInKJelI4pTXuQ06hwwou2u6u/RwXh8LOzHS:rInKstT+Q06hww9Ou/RwR2OG

Score

10^/10

bitrat discovery persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

127.0.0.1:7777

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
Install path
install_file
Install name
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Bitrat family
bitrat

Executes dropped EXE 2 IoCs

pid	Process
1556	BitShitBuilder.exe
4840	stub.exe

Loads dropped DLL 1 IoCs

pid	Process
1556	BitShitBuilder.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Install name = "C:\\Users\\Admin\\AppData\\Local\\Install path\\Install name"	stub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Run\Install name = "C:\\Users\\Admin\\AppData\\Local\\Install path\\Install namè"	stub.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 30 IoCs

pid	Process
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
1556	BitShitBuilder.exe
4840	stub.exe
4840	stub.exe
4840	stub.exe
4840	stub.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitShitBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stub.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4936	7zFM.exe
Token: 35	4936	7zFM.exe
Token: SeSecurityPrivilege	4936	7zFM.exe
Token: SeShutdownPrivilege	4840	stub.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4936	7zFM.exe
4936	7zFM.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1556	BitShitBuilder.exe
4840	stub.exe
4840	stub.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BitRat Cracked.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4936

C:\Users\Admin\Desktop\BitShitBuilder.exe
"C:\Users\Admin\Desktop\BitShitBuilder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3572

C:\Users\Admin\Desktop\stub.exe
"C:\Users\Admin\Desktop\stub.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE84302FC7\data\media\flags\re.png

Filesize
545B

MD5
c1cf1874c3305e5663547a48f6ad2d8c

SHA1
0f67f12d76a0543772a3259a3b38935381349e01

SHA256
79a39793efbf8217efbbc840e1b2041fe995363a5f12f0c01dd4d1462e5eb842

SHA512
c00e202e083f703e39cafbb86f3e3f6b330359906e3a6c7a6a78364d6adeb489f8b8ab1b2d6a1b8d9ef1a17702cfc8fc17219cf1aae3e5a7c18833f028037843

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE84302FC7\data\media\flags\sj.png

Filesize
512B

MD5
559ce5baaee373db8da150a5066c1062

SHA1
ee80e5f63c986d04f46bff10f639113c88107ced

SHA256
f8dc302371c809ebda3e9183c606264601f8dd851d2b1878fd25f0f6abe2988c

SHA512
c0ca7595cdd2dcef0385ccb1c0d15bb74accaea63b9531233bddf14c1791ffc9712dff660292706cfa269a975d29d7a189885cd09046ac6d8ed39a57ec9557ca

Download Submit
C:\Users\Admin\Desktop\BitShitBuilder.exe

Filesize
10.5MB

MD5
6b52d094d85c112904e314bc3b939542

SHA1
f97dab5fd7327ecb32eabb294653c29decdcb6a5

SHA256
1e982fc30c7a64c12d18cc2d13a25085e9c8ee0fab379665c6d011539179a76f

SHA512
76d353d46c75b579e62073bc330a89b4356967006781bc78c39a6ed87fd28007454e7f2c58bae6532ca4419cce9f8230e577234fc35251527dffa1c330f291b8

Download Submit
C:\Users\Admin\Desktop\stub.exe

Filesize
3.8MB

MD5
322560981874d1c0ab1c10d1dce7e230

SHA1
5d547f85e0721252f88073d4bef9631e137f1d34

SHA256
f79049746b61096f38d0909f288c8ada697a8263752822e8cf133eb25c8cdc5b

SHA512
b6c58f4345e28ffba5e65c5d083dbda0e5496949d954a52673ab7c8e33cf20b36fbfe8e37b656d91ec23da354481128259453efe21e98ee8aea8f83dacb40a8a

Download Submit
\??\c:\users\admin\desktop\BitRAT_Lover.dll

Filesize
63KB

MD5
c19f45e83944fcff90de29d67816623d

SHA1
b4896c417038915fcece58b0953e9163c38f9e56

SHA256
f1514d58c431a3f1a0f8e19fca9aceb3ffac6c74a56d788dc30ba5f5ecb01b07

SHA512
ed31dddff225eee8953abbe785a9d9b3e5ba2ab2526da9144b07d05c715cfe51e5a14d8dc644cd9aed49a246b9e3a1bb9e52f7d9c66d23cd6979c687b187c3e4

Download Submit
memory/1556-594-0x000000007FAA0000-0x000000007FE71000-memory.dmp

Filesize
3.8MB

Download
memory/1556-588-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/1556-592-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/1556-584-0x000000007FAA0000-0x000000007FE71000-memory.dmp

Filesize
3.8MB

Download
memory/1556-593-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/1556-595-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/1556-596-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/1556-597-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/1556-599-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/1556-602-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/1556-583-0x0000000000400000-0x0000000001061000-memory.dmp

Filesize
12.4MB

Download
memory/4840-605-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4840-606-0x0000000074010000-0x000000007404C000-memory.dmp

Filesize
240KB

Download
memory/4840-607-0x0000000073C80000-0x0000000073CBC000-memory.dmp

Filesize
240KB

Download
memory/4840-608-0x0000000073C80000-0x0000000073CBC000-memory.dmp

Filesize
240KB

Download
memory/4840-609-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4840-611-0x0000000073C80000-0x0000000073CBC000-memory.dmp

Filesize
240KB

Download
memory/4840-612-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4840-613-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4840-614-0x0000000073C80000-0x0000000073CBC000-memory.dmp

Filesize
240KB

Download
memory/4840-615-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4840-616-0x0000000073C80000-0x0000000073CBC000-memory.dmp

Filesize
240KB

Download
memory/4840-617-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4840-619-0x0000000073C80000-0x0000000073CBC000-memory.dmp

Filesize
240KB

Download
memory/4840-620-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4840-621-0x0000000074010000-0x000000007404C000-memory.dmp

Filesize
240KB

Download
memory/4840-623-0x0000000073C80000-0x0000000073CBC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads