SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bit_rat (Back to overview)

BitRAT


There is no description at this point.

References
2022-05-12FortiGuard LabsXiaopeng Zhang
@online{zhang:20220512:phishing:2e3122c, author = {Xiaopeng Zhang}, title = {{Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I}}, date = {2022-05-12}, organization = {FortiGuard Labs}, url = {https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware}, language = {English}, urldate = {2022-05-17} } Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I
Ave Maria BitRAT
2022-05-10CheckpointCheckpoint
@online{checkpoint:20220510:infostealer:33aee4a, author = {Checkpoint}, title = {{Info-stealer Campaign targets German Car Dealerships and Manufacturers}}, date = {2022-05-10}, organization = {Checkpoint}, url = {https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/}, language = {English}, urldate = {2022-05-13} } Info-stealer Campaign targets German Car Dealerships and Manufacturers
Azorult BitRAT Raccoon
2022-03-21Bleeping ComputerBill Toulas
@online{toulas:20220321:bitrat:22fbcdc, author = {Bill Toulas}, title = {{BitRAT malware now spreading as a Windows 10 license activator}}, date = {2022-03-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/}, language = {English}, urldate = {2022-03-22} } BitRAT malware now spreading as a Windows 10 license activator
BitRAT
2022-03-21AhnLabASEC Analysis Team
@online{team:20220321:bitrat:865b183, author = {ASEC Analysis Team}, title = {{BitRAT Disguised as Windows Product Key Verification Tool Being Distributed}}, date = {2022-03-21}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/32781/}, language = {English}, urldate = {2022-04-14} } BitRAT Disguised as Windows Product Key Verification Tool Being Distributed
BitRAT TinyNuke
2022-02-14MorphisecHido Cohen, Arnold Osipov
@techreport{cohen:20220214:journey:6c209dc, author = {Hido Cohen and Arnold Osipov}, title = {{Journey of a Crypto Scammer - NFT-001}}, date = {2022-02-14}, institution = {Morphisec}, url = {https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf}, language = {English}, urldate = {2022-02-19} } Journey of a Crypto Scammer - NFT-001
AsyncRAT BitRAT Remcos
2022-02-14FortinetShunichi Imano, James Slaugther, Fred Gutierrez
@online{imano:20220214:nft:eedc95b, author = {Shunichi Imano and James Slaugther and Fred Gutierrez}, title = {{NFT Lure Used to Distribute BitRAT}}, date = {2022-02-14}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat}, language = {English}, urldate = {2022-02-16} } NFT Lure Used to Distribute BitRAT
BitRAT
2022-02-07RiskIQRiskIQ
@online{riskiq:20220207:riskiq:43b167b, author = {RiskIQ}, title = {{RiskIQ: Malicious Infrastructure Connected to Particular Windows Host Certificates}}, date = {2022-02-07}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/ade260c6}, language = {English}, urldate = {2022-02-09} } RiskIQ: Malicious Infrastructure Connected to Particular Windows Host Certificates
AsyncRAT BitRAT Nanocore RAT
2022-01-23forensicitguyTony Lambert
@online{lambert:20220123:hcrypt:0b8945b, author = {Tony Lambert}, title = {{HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET}}, date = {2022-01-23}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/}, language = {English}, urldate = {2022-01-25} } HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET
BitRAT
2022-01-09YouTube (0xca7)0xca7
@online{0xca7:20220109:cat:ca6499b, author = {0xca7}, title = {{Cat vs. RAT II - Bitrat}}, date = {2022-01-09}, organization = {YouTube (0xca7)}, url = {https://www.youtube.com/watch?v=CYm3g4zkQdw}, language = {English}, urldate = {2022-03-17} } Cat vs. RAT II - Bitrat
BitRAT
2021-11-23MorphisecHido Cohen, Arnold Osipov
@online{cohen:20211123:babadeda:ae0d0ac, author = {Hido Cohen and Arnold Osipov}, title = {{Babadeda Crypter targeting crypto, NFT, and DeFi communities}}, date = {2021-11-23}, organization = {Morphisec}, url = {https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities}, language = {English}, urldate = {2021-12-22} } Babadeda Crypter targeting crypto, NFT, and DeFi communities
BitRAT LockBit Remcos
2021-09-20Trend MicroAliakbar Zahravi, William Gamazo Sanchez
@online{zahravi:20210920:water:63df486, author = {Aliakbar Zahravi and William Gamazo Sanchez}, title = {{Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads}}, date = {2021-09-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html}, language = {English}, urldate = {2021-09-22} } Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
Ave Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:d6456f8, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:9b97238, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-07-12Cipher Tech SolutionsMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:a3c66bf, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {Cipher Tech Solutions}, url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12IBMMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:1f66418, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {IBM}, url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-03-17HPHP Bromium
@techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-02-16Check PointCheck Point Research
@online{research:20210216:apomacrosploit:91549e1, author = {Check Point Research}, title = {{ApoMacroSploit: Apocalyptical FUD race}}, date = {2021-02-16}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/}, language = {English}, urldate = {2021-02-20} } ApoMacroSploit: Apocalyptical FUD race
BitRAT
2021-01-22Github (Finch4)Finch
@online{finch:20210122:malware:dd89716, author = {Finch}, title = {{Malware Analysis Report No2}}, date = {2021-01-22}, organization = {Github (Finch4)}, url = {https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md}, language = {English}, urldate = {2021-01-26} } Malware Analysis Report No2
BitRAT
2020-09-04KrabsOnSecurityMr. Krabs
@online{krabs:20200904:bitrat:bd0d3cd, author = {Mr. Krabs}, title = {{BitRAT pt. 2: Hidden Browser, SOCKS5 proxy, and UnknownProducts Unmasked}}, date = {2020-09-04}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/}, language = {English}, urldate = {2020-09-05} } BitRAT pt. 2: Hidden Browser, SOCKS5 proxy, and UnknownProducts Unmasked
BitRAT WebMonitor RAT
2020-08-22KrabsOnSecurityMr. Krabs
@online{krabs:20200822:bitrat:ce5d899, author = {Mr. Krabs}, title = {{BitRAT – The Latest in Copy-pasted Malware by Incompetent Developers}}, date = {2020-08-22}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/}, language = {English}, urldate = {2020-08-25} } BitRAT – The Latest in Copy-pasted Malware by Incompetent Developers
BitRAT
Yara Rules
[TLP:WHITE] win_bit_rat_auto (20220411 | Detects win.bit_rat.)
rule win_bit_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.bit_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c410 8d4dd8 50 e8???????? 8d8d78ffffff e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8d4dd8               | lea                 ecx, dword ptr [ebp - 0x28]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8d78ffffff         | lea                 ecx, dword ptr [ebp - 0x88]
            //   e8????????           |                     

        $sequence_1 = { c7400400000000 5e 5f 33c0 5b 8be5 5d }
            // n = 7, score = 200
            //   c7400400000000       | mov                 dword ptr [eax + 4], 0
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_2 = { ebdf 8a4602 3c6d 7514 807e0370 750e 385e04 }
            // n = 7, score = 200
            //   ebdf                 | jmp                 0xffffffe1
            //   8a4602               | mov                 al, byte ptr [esi + 2]
            //   3c6d                 | cmp                 al, 0x6d
            //   7514                 | jne                 0x16
            //   807e0370             | cmp                 byte ptr [esi + 3], 0x70
            //   750e                 | jne                 0x10
            //   385e04               | cmp                 byte ptr [esi + 4], bl

        $sequence_3 = { 8bf2 57 8bf9 8b06 83e879 7426 2d50040000 }
            // n = 7, score = 200
            //   8bf2                 | mov                 esi, edx
            //   57                   | push                edi
            //   8bf9                 | mov                 edi, ecx
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   83e879               | sub                 eax, 0x79
            //   7426                 | je                  0x28
            //   2d50040000           | sub                 eax, 0x450

        $sequence_4 = { 8bec 83ec10 53 56 8bf1 57 ff7604 }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   57                   | push                edi
            //   ff7604               | push                dword ptr [esi + 4]

        $sequence_5 = { 8b4dd4 c745fc04000000 83f908 720d 41 51 ff75c0 }
            // n = 7, score = 200
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   c745fc04000000       | mov                 dword ptr [ebp - 4], 4
            //   83f908               | cmp                 ecx, 8
            //   720d                 | jb                  0xf
            //   41                   | inc                 ecx
            //   51                   | push                ecx
            //   ff75c0               | push                dword ptr [ebp - 0x40]

        $sequence_6 = { 894240 8b45e8 114a3c 894244 8bc6 5f 5e }
            // n = 7, score = 200
            //   894240               | mov                 dword ptr [edx + 0x40], eax
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   114a3c               | adc                 dword ptr [edx + 0x3c], ecx
            //   894244               | mov                 dword ptr [edx + 0x44], eax
            //   8bc6                 | mov                 eax, esi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_7 = { e8???????? ff30 e8???????? 8bf8 83c404 8b4660 85c0 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c404               | add                 esp, 4
            //   8b4660               | mov                 eax, dword ptr [esi + 0x60]
            //   85c0                 | test                eax, eax

        $sequence_8 = { 6a00 8d4608 83e1fe 50 8d4708 50 ff11 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   8d4608               | lea                 eax, dword ptr [esi + 8]
            //   83e1fe               | and                 ecx, 0xfffffffe
            //   50                   | push                eax
            //   8d4708               | lea                 eax, dword ptr [edi + 8]
            //   50                   | push                eax
            //   ff11                 | call                dword ptr [ecx]

        $sequence_9 = { a810 740e c70603000000 c70303000000 eb0c c70602000000 c70302000000 }
            // n = 7, score = 200
            //   a810                 | test                al, 0x10
            //   740e                 | je                  0x10
            //   c70603000000         | mov                 dword ptr [esi], 3
            //   c70303000000         | mov                 dword ptr [ebx], 3
            //   eb0c                 | jmp                 0xe
            //   c70602000000         | mov                 dword ptr [esi], 2
            //   c70302000000         | mov                 dword ptr [ebx], 2

    condition:
        7 of them and filesize < 19405824
}
[TLP:WHITE] win_bit_rat_w0   (20200828 | String-based rule for detecting BitRAT malware payload)
rule win_bit_rat_w0 {
    meta:
        author = "KrabsOnSecurity"
        date = "2020-8-22"
        description = "String-based rule for detecting BitRAT malware payload"
        source = "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat"
    malpedia_version = "20200828"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
    strings:
        $tinynuke_paste1 = "TaskbarGlomLevel"
        $tinynuke_paste2 = "profiles.ini"
        $tinynuke_paste3 = "RtlCreateUserThread"
        $tinynuke_paste4 = "127.0.0.1"
        $tinynuke_paste5 = "Shell_TrayWnd"
        $tinynuke_paste6 = "cmd.exe /c start "
        $tinynuke_paste7 = "nss3.dll"
        $tinynuke_paste8 = "IsRelative="
        $tinynuke_paste9 = "-no-remote -profile "
        $tinynuke_paste10 = "AVE_MARIA"
        
        $commandline1 = "-prs" wide
        $commandline2 = "-wdkill" wide
        $commandline3 = "-uac" wide
        $commandline4 = "-fwa" wide
    condition:
        (8 of ($tinynuke_paste*)) and (3 of ($commandline*))
}
Download all Yara Rules