bitrat | b693010f3f342fb06dd959f2553b7937d5daeaf9b4b7fd800ed5a9a6d8a099e7

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SQLi v.8.5.exe
Size

12.7MB
MD5

d887c03a2d230dc196c8b3ac47030b9e
SHA1

b4d08bf36841ffdeb0750455021a707804f8d509
SHA256

b693010f3f342fb06dd959f2553b7937d5daeaf9b4b7fd800ed5a9a6d8a099e7
SHA512

6cee30d2448b930504f0933ca04e7f30fb3e1f2924d490146c0168308298d222cf5eb83885da405ba8fcd92b7f4979e23b4f9c706c936df5bfb52d2819022072
SSDEEP

196608:OhzlOFCwaHNFrXW+YrDkx/NNYz7vPmHpBt:2zMCwaHNlXW+Y/kx/TyPmj

Score

10^/10

bitrat persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.34

80.85.156.209:8080

Attributes

communication_password
ae5eb824ef87499f644c3f11a7176157
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

SQLi v.8.5.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation SQLi v.8.5.exe
Executes dropped EXE 3 IoCs

Processes:

0.exepebloso.exepebloso.exe

pid process

3068 0.exe
4708 pebloso.exe
1600 pebloso.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SQLi v.8.5.exe

pid	process
3068	0.exe
4708	pebloso.exe
1600	pebloso.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1600-28-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-31-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-30-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-32-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-36-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-41-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-42-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-44-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-48-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-49-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-51-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-54-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-55-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-58-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-61-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-68-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/1600-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pebloso.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\shwifty = "C:\\users\\Admin\\AppData\\Local\\Temp\\shwifty.exe"	pebloso.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 pastebin.com
7 pastebin.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

pebloso.exe

pid process

1600 pebloso.exe
1600 pebloso.exe
1600 pebloso.exe
1600 pebloso.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pebloso.exe

description pid process target process

PID 4708 set thread context of 1600 4708 pebloso.exe pebloso.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0.exe

pid process

3068 0.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

0.exeAUDIODG.EXEpebloso.exe

description pid process

Token: SeDebugPrivilege 3068 0.exe
Token: 33 3968 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3968 AUDIODG.EXE
Token: SeShutdownPrivilege 1600 pebloso.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

SQLi v.8.5.exepebloso.exe

pid process

2132 SQLi v.8.5.exe
2132 SQLi v.8.5.exe
1600 pebloso.exe
1600 pebloso.exe

flow	ioc
5	pastebin.com
7	pastebin.com

pid	process
1600	pebloso.exe
1600	pebloso.exe
1600	pebloso.exe
1600	pebloso.exe

description	pid	process	target process
PID 4708 set thread context of 1600	4708	pebloso.exe	pebloso.exe

pid	process
3068	0.exe

description	pid	process
Token: SeDebugPrivilege	3068	0.exe
Token: 33	3968	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3968	AUDIODG.EXE
Token: SeShutdownPrivilege	1600	pebloso.exe

pid	process
2132	SQLi v.8.5.exe
2132	SQLi v.8.5.exe
1600	pebloso.exe
1600	pebloso.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

SQLi v.8.5.exepebloso.exe

description	pid	process	target process
PID 2132 wrote to memory of 3068	2132	SQLi v.8.5.exe	0.exe
PID 2132 wrote to memory of 3068	2132	SQLi v.8.5.exe	0.exe
PID 2132 wrote to memory of 4708	2132	SQLi v.8.5.exe	pebloso.exe
PID 2132 wrote to memory of 4708	2132	SQLi v.8.5.exe	pebloso.exe
PID 2132 wrote to memory of 4708	2132	SQLi v.8.5.exe	pebloso.exe
PID 4708 wrote to memory of 1600	4708	pebloso.exe	pebloso.exe
PID 4708 wrote to memory of 1600	4708	pebloso.exe	pebloso.exe
PID 4708 wrote to memory of 1600	4708	pebloso.exe	pebloso.exe
PID 4708 wrote to memory of 1600	4708	pebloso.exe	pebloso.exe
PID 4708 wrote to memory of 1600	4708	pebloso.exe	pebloso.exe

C:\Users\Admin\AppData\Local\Temp\SQLi v.8.5.exe
"C:\Users\Admin\AppData\Local\Temp\SQLi v.8.5.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\0.exe
"C:\Users\Admin\AppData\Local\Temp\0.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Users\Admin\AppData\Local\Temp\pebloso.exe
"C:\Users\Admin\AppData\Local\Temp\pebloso.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\pebloso.exe
"C:\Users\Admin\AppData\Local\Temp\pebloso.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3968

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.exe
Filesize
2.3MB

MD5
f558500b09118c2d5482c0097d41b986

SHA1
ebdd90df103acb0a28a46b4affde511f5b0bb6d0

SHA256
4081a78ba280d28c56551983e515486a1dacf9ba26a3e76a71060982cc9e5ed7

SHA512
d4bfd969d7e8e0ff7aedf55ea69398ced8bd81dd2bde7e87a79d6890fa4b38d0275ceb8c72e20336d97bff2252cd904e27f8023b93dacf961d7345d18e0e7441

Download Submit
C:\Users\Admin\AppData\Local\Temp\pebloso.exe
Filesize
6.2MB

MD5
4d28de913b4b1e07f75c75e3cdd75add

SHA1
ce6735e3a3b68b904bda4ea150adfed689b8d18a

SHA256
e43d70c273c8c083b5368e6c8dfd74e403a3f6b5e263609497940bb94ecc6f01

SHA512
ea7bc0621977f6a9833c28945c41681c065073fb8b63e44118d772f0132dea60c6ed2c5129cb6072d5e315ee82e512bc54686adace9aa979e443b7803aa41a1a

Download Submit
memory/1600-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-44-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-61-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-48-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-31-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-30-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-32-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-68-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-35-0x0000000074D50000-0x0000000074D89000-memory.dmp

Filesize
228KB

Download
memory/1600-36-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-41-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-42-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-43-0x0000000074A30000-0x0000000074A69000-memory.dmp

Filesize
228KB

Download
memory/1600-63-0x0000000074A30000-0x0000000074A69000-memory.dmp

Filesize
228KB

Download
memory/1600-70-0x0000000074A30000-0x0000000074A69000-memory.dmp

Filesize
228KB

Download
memory/1600-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-28-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-49-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-50-0x0000000074A30000-0x0000000074A69000-memory.dmp

Filesize
228KB

Download
memory/1600-51-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-54-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-55-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-57-0x0000000074A30000-0x0000000074A69000-memory.dmp

Filesize
228KB

Download
memory/1600-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1600-58-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2132-0-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/2132-25-0x0000000000400000-0x00000000010C1000-memory.dmp

Filesize
12.8MB

Download
memory/3068-24-0x00007FFFEF7E0000-0x00007FFFF02A1000-memory.dmp

Filesize
10.8MB

Download
memory/3068-15-0x00007FFFEF7E3000-0x00007FFFEF7E5000-memory.dmp

Filesize
8KB

Download
memory/3068-47-0x00007FFFEF7E0000-0x00007FFFF02A1000-memory.dmp

Filesize
10.8MB

Download
memory/3068-45-0x00007FFFEF7E3000-0x00007FFFEF7E5000-memory.dmp

Filesize
8KB

Download
memory/3068-21-0x0000000000500000-0x000000000075A000-memory.dmp

Filesize
2.4MB

Download
memory/4708-33-0x0000000000400000-0x0000000000A8E000-memory.dmp

Filesize
6.6MB

Download