SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bit_rat (Back to overview)

BitRAT


According to Bitdefender, BitRAT is a notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums. Its price tag of $20 for lifetime access makes it irresistible to cybercriminals and helps the malicious payload spread.

Furthermore, each buyer’s modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations, such as trojanized software, phishing and watering hole attacks.

BitRAT’s popularity arises from its versatility. The malicious tool can perform a wide range of operations, including data exfiltration, UAC bypass, DDoS attacks, clipboard monitoring, gaining unauthorized webcam access, credential theft, audio recording, XMRig coin mining and generic keylogging.

References
2023-01-03QualysAkshat Pradhan
@online{pradhan:20230103:bitrat:60d704b, author = {Akshat Pradhan}, title = {{BitRAT Now Sharing Sensitive Bank Data as a Lure}}, date = {2023-01-03}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure}, language = {English}, urldate = {2023-01-04} } BitRAT Now Sharing Sensitive Bank Data as a Lure
BitRAT
2022-05-20SANS ISCXavier Mertens
@online{mertens:20220520:zip:eb3e2f6, author = {Xavier Mertens}, title = {{A 'Zip Bomb' to Bypass Security Controls & Sandboxes}}, date = {2022-05-20}, organization = {SANS ISC}, url = {https://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/}, language = {English}, urldate = {2022-05-25} } A 'Zip Bomb' to Bypass Security Controls & Sandboxes
BitRAT
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220519:net:ecf311c, author = {The BlackBerry Research & Intelligence Team}, title = {{.NET Stubs: Sowing the Seeds of Discord (PureCrypter)}}, date = {2022-05-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord}, language = {English}, urldate = {2022-06-09} } .NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-05-12FortiGuard LabsXiaopeng Zhang
@online{zhang:20220512:phishing:2e3122c, author = {Xiaopeng Zhang}, title = {{Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I}}, date = {2022-05-12}, organization = {FortiGuard Labs}, url = {https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware}, language = {English}, urldate = {2022-08-05} } Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I
Ave Maria BitRAT Pandora RAT
2022-05-10CheckpointCheckpoint
@online{checkpoint:20220510:infostealer:33aee4a, author = {Checkpoint}, title = {{Info-stealer Campaign targets German Car Dealerships and Manufacturers}}, date = {2022-05-10}, organization = {Checkpoint}, url = {https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/}, language = {English}, urldate = {2022-05-13} } Info-stealer Campaign targets German Car Dealerships and Manufacturers
Azorult BitRAT Raccoon
2022-03-22BitdefenderVlad Constantinescu
@online{constantinescu:20220322:bitrat:03c1c4c, author = {Vlad Constantinescu}, title = {{BitRAT Malware Seen Spreading Through Unofficial Microsoft Windows Activators}}, date = {2022-03-22}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/hotforsecurity/bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators/}, language = {English}, urldate = {2022-06-09} } BitRAT Malware Seen Spreading Through Unofficial Microsoft Windows Activators
BitRAT
2022-03-21Bleeping ComputerBill Toulas
@online{toulas:20220321:bitrat:22fbcdc, author = {Bill Toulas}, title = {{BitRAT malware now spreading as a Windows 10 license activator}}, date = {2022-03-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/}, language = {English}, urldate = {2022-03-22} } BitRAT malware now spreading as a Windows 10 license activator
BitRAT
2022-03-21AhnLabASEC Analysis Team
@online{team:20220321:bitrat:865b183, author = {ASEC Analysis Team}, title = {{BitRAT Disguised as Windows Product Key Verification Tool Being Distributed}}, date = {2022-03-21}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/32781/}, language = {English}, urldate = {2022-04-14} } BitRAT Disguised as Windows Product Key Verification Tool Being Distributed
BitRAT TinyNuke
2022-02-14FortinetShunichi Imano, James Slaughter, Fred Gutierrez
@online{imano:20220214:nft:eedc95b, author = {Shunichi Imano and James Slaughter and Fred Gutierrez}, title = {{NFT Lure Used to Distribute BitRAT}}, date = {2022-02-14}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat}, language = {English}, urldate = {2022-11-21} } NFT Lure Used to Distribute BitRAT
BitRAT
2022-02-14MorphisecHido Cohen, Arnold Osipov
@techreport{cohen:20220214:journey:6c209dc, author = {Hido Cohen and Arnold Osipov}, title = {{Journey of a Crypto Scammer - NFT-001}}, date = {2022-02-14}, institution = {Morphisec}, url = {https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf}, language = {English}, urldate = {2022-02-19} } Journey of a Crypto Scammer - NFT-001
AsyncRAT BitRAT Remcos
2022-02-07RiskIQRiskIQ
@online{riskiq:20220207:riskiq:43b167b, author = {RiskIQ}, title = {{RiskIQ: Malicious Infrastructure Connected to Particular Windows Host Certificates}}, date = {2022-02-07}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/ade260c6}, language = {English}, urldate = {2022-02-09} } RiskIQ: Malicious Infrastructure Connected to Particular Windows Host Certificates
AsyncRAT BitRAT Nanocore RAT
2022-01-23forensicitguyTony Lambert
@online{lambert:20220123:hcrypt:0b8945b, author = {Tony Lambert}, title = {{HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET}}, date = {2022-01-23}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/}, language = {English}, urldate = {2022-01-25} } HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET
BitRAT
2022-01-09YouTube (0xca7)0xca7
@online{0xca7:20220109:cat:ca6499b, author = {0xca7}, title = {{Cat vs. RAT II - Bitrat}}, date = {2022-01-09}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=CYm3g4zkQdw}, language = {English}, urldate = {2022-03-17} } Cat vs. RAT II - Bitrat
BitRAT
2021-11-23MorphisecHido Cohen, Arnold Osipov
@online{cohen:20211123:babadeda:ae0d0ac, author = {Hido Cohen and Arnold Osipov}, title = {{Babadeda Crypter targeting crypto, NFT, and DeFi communities}}, date = {2021-11-23}, organization = {Morphisec}, url = {https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities}, language = {English}, urldate = {2021-12-22} } Babadeda Crypter targeting crypto, NFT, and DeFi communities
BitRAT LockBit Remcos
2021-09-20Trend MicroAliakbar Zahravi, William Gamazo Sanchez
@online{zahravi:20210920:water:63df486, author = {Aliakbar Zahravi and William Gamazo Sanchez}, title = {{Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads}}, date = {2021-09-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html}, language = {English}, urldate = {2021-09-22} } Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
Ave Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:d6456f8, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:9b97238, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-07-12IBMMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:1f66418, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {IBM}, url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12Cipher Tech SolutionsMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:a3c66bf, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {Cipher Tech Solutions}, url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-03-17HPHP Bromium
@techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-02-16Check PointCheck Point Research
@online{research:20210216:apomacrosploit:91549e1, author = {Check Point Research}, title = {{ApoMacroSploit: Apocalyptical FUD race}}, date = {2021-02-16}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/}, language = {English}, urldate = {2021-02-20} } ApoMacroSploit: Apocalyptical FUD race
BitRAT
2021-01-22Github (Finch4)Finch
@online{finch:20210122:malware:dd89716, author = {Finch}, title = {{Malware Analysis Report No2}}, date = {2021-01-22}, organization = {Github (Finch4)}, url = {https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md}, language = {English}, urldate = {2021-01-26} } Malware Analysis Report No2
BitRAT
2020-09-04KrabsOnSecurityMr. Krabs
@online{krabs:20200904:bitrat:bd0d3cd, author = {Mr. Krabs}, title = {{BitRAT pt. 2: Hidden Browser, SOCKS5 proxy, and UnknownProducts Unmasked}}, date = {2020-09-04}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/}, language = {English}, urldate = {2020-09-05} } BitRAT pt. 2: Hidden Browser, SOCKS5 proxy, and UnknownProducts Unmasked
BitRAT WebMonitor RAT
2020-08-22KrabsOnSecurityMr. Krabs
@online{krabs:20200822:bitrat:ce5d899, author = {Mr. Krabs}, title = {{BitRAT – The Latest in Copy-pasted Malware by Incompetent Developers}}, date = {2020-08-22}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/}, language = {English}, urldate = {2020-08-25} } BitRAT – The Latest in Copy-pasted Malware by Incompetent Developers
BitRAT
Yara Rules
[TLP:WHITE] win_bit_rat_auto (20230125 | Detects win.bit_rat.)
rule win_bit_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.bit_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85d2 7433 85c9 752f 394c2428 7529 83ea01 }
            // n = 7, score = 200
            //   85d2                 | test                edx, edx
            //   7433                 | je                  0x35
            //   85c9                 | test                ecx, ecx
            //   752f                 | jne                 0x31
            //   394c2428             | cmp                 dword ptr [esp + 0x28], ecx
            //   7529                 | jne                 0x2b
            //   83ea01               | sub                 edx, 1

        $sequence_1 = { c7460400000000 5e 5b 5d c3 83e308 750f }
            // n = 7, score = 200
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   83e308               | and                 ebx, 8
            //   750f                 | jne                 0x11

        $sequence_2 = { c1e108 0bc8 894c2424 83fe10 0f82a1000000 0f1f8000000000 8bc6 }
            // n = 7, score = 200
            //   c1e108               | shl                 ecx, 8
            //   0bc8                 | or                  ecx, eax
            //   894c2424             | mov                 dword ptr [esp + 0x24], ecx
            //   83fe10               | cmp                 esi, 0x10
            //   0f82a1000000         | jb                  0xa7
            //   0f1f8000000000       | nop                 dword ptr [eax]
            //   8bc6                 | mov                 eax, esi

        $sequence_3 = { e8???????? 8365e400 c645e800 e8???????? 8b7d1c 8d75e4 8945ec }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8365e400             | and                 dword ptr [ebp - 0x1c], 0
            //   c645e800             | mov                 byte ptr [ebp - 0x18], 0
            //   e8????????           |                     
            //   8b7d1c               | mov                 edi, dword ptr [ebp + 0x1c]
            //   8d75e4               | lea                 esi, [ebp - 0x1c]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax

        $sequence_4 = { c744240400000000 8b8604040000 8b88c8000000 85c9 7416 ffb0cc000000 51 }
            // n = 7, score = 200
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   8b8604040000         | mov                 eax, dword ptr [esi + 0x404]
            //   8b88c8000000         | mov                 ecx, dword ptr [eax + 0xc8]
            //   85c9                 | test                ecx, ecx
            //   7416                 | je                  0x18
            //   ffb0cc000000         | push                dword ptr [eax + 0xcc]
            //   51                   | push                ecx

        $sequence_5 = { ff5210 8b4dfc 8807 47 8b45f8 41 40 }
            // n = 7, score = 200
            //   ff5210               | call                dword ptr [edx + 0x10]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8807                 | mov                 byte ptr [edi], al
            //   47                   | inc                 edi
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   41                   | inc                 ecx
            //   40                   | inc                 eax

        $sequence_6 = { 8d4318 83c70c 50 a5 a5 a5 8b75f0 }
            // n = 7, score = 200
            //   8d4318               | lea                 eax, [ebx + 0x18]
            //   83c70c               | add                 edi, 0xc
            //   50                   | push                eax
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   8b75f0               | mov                 esi, dword ptr [ebp - 0x10]

        $sequence_7 = { e8???????? ff36 e8???????? ff7624 e8???????? c7462400000000 8b4e18 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     
            //   ff7624               | push                dword ptr [esi + 0x24]
            //   e8????????           |                     
            //   c7462400000000       | mov                 dword ptr [esi + 0x24], 0
            //   8b4e18               | mov                 ecx, dword ptr [esi + 0x18]

        $sequence_8 = { e8???????? 8be8 55 e8???????? 83c40c 3dff000003 751c }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8be8                 | mov                 ebp, eax
            //   55                   | push                ebp
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   3dff000003           | cmp                 eax, 0x30000ff
            //   751c                 | jne                 0x1e

        $sequence_9 = { e8???????? c645fc63 50 8bce e8???????? c645fc24 53 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   c645fc63             | mov                 byte ptr [ebp - 4], 0x63
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   c645fc24             | mov                 byte ptr [ebp - 4], 0x24
            //   53                   | push                ebx

    condition:
        7 of them and filesize < 19405824
}
[TLP:WHITE] win_bit_rat_w0   (20200828 | String-based rule for detecting BitRAT malware payload)
rule win_bit_rat_w0 {
    meta:
        author = "KrabsOnSecurity"
        date = "2020-8-22"
        description = "String-based rule for detecting BitRAT malware payload"
        source = "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat"
    malpedia_version = "20200828"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
    strings:
        $tinynuke_paste1 = "TaskbarGlomLevel"
        $tinynuke_paste2 = "profiles.ini"
        $tinynuke_paste3 = "RtlCreateUserThread"
        $tinynuke_paste4 = "127.0.0.1"
        $tinynuke_paste5 = "Shell_TrayWnd"
        $tinynuke_paste6 = "cmd.exe /c start "
        $tinynuke_paste7 = "nss3.dll"
        $tinynuke_paste8 = "IsRelative="
        $tinynuke_paste9 = "-no-remote -profile "
        $tinynuke_paste10 = "AVE_MARIA"
        
        $commandline1 = "-prs" wide
        $commandline2 = "-wdkill" wide
        $commandline3 = "-uac" wide
        $commandline4 = "-fwa" wide
    condition:
        (8 of ($tinynuke_paste*)) and (3 of ($commandline*))
}
Download all Yara Rules