SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bit_rat (Back to overview)

BitRAT

VTCollection    

According to Bitdefender, BitRAT is a notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums. Its price tag of $20 for lifetime access makes it irresistible to cybercriminals and helps the malicious payload spread.

Furthermore, each buyer’s modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations, such as trojanized software, phishing and watering hole attacks.

BitRAT’s popularity arises from its versatility. The malicious tool can perform a wide range of operations, including data exfiltration, UAC bypass, DDoS attacks, clipboard monitoring, gaining unauthorized webcam access, credential theft, audio recording, XMRig coin mining and generic keylogging.

References
2025-08-26Recorded FutureInsikt Group
TAG-144’s Persistent Grip on South American Organizations
AsyncRAT BitRAT DCRat LimeRAT NjRAT PureCrypter Quasar RAT Remcos
2025-01-19cocomelonccocomelonc
Malware development trick 44: Stealing data via legit GitHub API. Simple C example.
OceanLotus BitRAT RecordBreaker
2024-05-29eSentireeSentire
Fake Browser Updates delivering BitRAT and Lumma Stealer
BitRAT Lumma Stealer
2023-09-08Gi7w0rm
Uncovering DDGroup — A long-time threat actor
AsyncRAT Ave Maria BitRAT DBatLoader NetWire RC Quasar RAT XWorm
2023-08-01Palo Alto Networks Unit 42Lior Rochberger
NodeStealer 2.0 – The Python Version: Stealing Facebook Business Accounts
BitRAT NodeStealer XWorm
2023-01-03QualysAkshat Pradhan
BitRAT Now Sharing Sensitive Bank Data as a Lure
BitRAT
2022-05-20SANS ISCXavier Mertens
A 'Zip Bomb' to Bypass Security Controls & Sandboxes
BitRAT
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-05-12FortiGuard LabsXiaopeng Zhang
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I
Ave Maria BitRAT Pandora RAT
2022-05-10CheckpointCheckpoint
Info-stealer Campaign targets German Car Dealerships and Manufacturers
Azorult BitRAT Raccoon
2022-03-22BitdefenderVlad Constantinescu
BitRAT Malware Seen Spreading Through Unofficial Microsoft Windows Activators
BitRAT
2022-03-21Bleeping ComputerBill Toulas
BitRAT malware now spreading as a Windows 10 license activator
BitRAT
2022-03-21AhnLabASEC Analysis Team
BitRAT Disguised as Windows Product Key Verification Tool Being Distributed
BitRAT TinyNuke
2022-02-14FortinetFred Gutierrez, James Slaughter, Shunichi Imano
NFT Lure Used to Distribute BitRAT
BitRAT
2022-02-14MorphisecArnold Osipov, Hido Cohen
Journey of a Crypto Scammer - NFT-001
AsyncRAT BitRAT Remcos
2022-02-07RiskIQRiskIQ
RiskIQ: Malicious Infrastructure Connected to Particular Windows Host Certificates
AsyncRAT BitRAT Nanocore RAT
2022-01-23forensicitguyTony Lambert
HCrypt Injecting BitRAT using PowerShell, HTAs, and .NET
BitRAT
2022-01-09YouTube (0xca7)0xca7
Cat vs. RAT II - Bitrat
BitRAT
2021-11-23MorphisecArnold Osipov, Hido Cohen
Babadeda Crypter targeting crypto, NFT, and DeFi communities
Babadeda BitRAT LockBit Remcos
2021-09-20Trend MicroAliakbar Zahravi, William Gamazo Sanchez
Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
Ave Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT
2021-09-13Trend MicroDaniel Lunghi, Jaromír Hořejší
APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-13Trend MicroDaniel Lunghi, Jaromír Hořejší
APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-07-12Cipher Tech SolutionsClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12IBMClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-03-17HPHP Bromium
Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-02-16Check PointCheck Point Research
ApoMacroSploit: Apocalyptical FUD race
BitRAT
2021-01-22Github (Finch4)Finch
Malware Analysis Report No2
BitRAT
2020-09-04KrabsOnSecurityMr. Krabs
BitRAT pt. 2: Hidden Browser, SOCKS5 proxy, and UnknownProducts Unmasked
BitRAT WebMonitor RAT
2020-08-22KrabsOnSecurityMr. Krabs
BitRAT – The Latest in Copy-pasted Malware by Incompetent Developers
BitRAT
Yara Rules
[TLP:WHITE] win_bit_rat_auto (20251219 | Detects win.bit_rat.)
rule win_bit_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.bit_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb1b 8b4de0 8b5ddc 8b7df8 8b45f4 eba7 8b4510 }
            // n = 7, score = 200
            //   eb1b                 | jmp                 0x1d
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   8b5ddc               | mov                 ebx, dword ptr [ebp - 0x24]
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   eba7                 | jmp                 0xffffffa9
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_1 = { e8???????? 8b4f0c 83c404 3b01 740e 6a00 6a00 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b4f0c               | mov                 ecx, dword ptr [edi + 0xc]
            //   83c404               | add                 esp, 4
            //   3b01                 | cmp                 eax, dword ptr [ecx]
            //   740e                 | je                  0x10
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_2 = { e8???????? c645fc42 50 8bce e8???????? c645fc24 53 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   c645fc42             | mov                 byte ptr [ebp - 4], 0x42
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   c645fc24             | mov                 byte ptr [ebp - 4], 0x24
            //   53                   | push                ebx

        $sequence_3 = { 85ed 7460 895c2410 8bd3 8bce 85f6 7454 }
            // n = 7, score = 200
            //   85ed                 | test                ebp, ebp
            //   7460                 | je                  0x62
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx
            //   8bd3                 | mov                 edx, ebx
            //   8bce                 | mov                 ecx, esi
            //   85f6                 | test                esi, esi
            //   7454                 | je                  0x56

        $sequence_4 = { e9???????? 83f85b 751b 8bce e8???????? 8bce e8???????? }
            // n = 7, score = 200
            //   e9????????           |                     
            //   83f85b               | cmp                 eax, 0x5b
            //   751b                 | jne                 0x1d
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_5 = { e8???????? 8b4c240c 83c404 83f903 751b 6a00 6a00 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   83c404               | add                 esp, 4
            //   83f903               | cmp                 ecx, 3
            //   751b                 | jne                 0x1d
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_6 = { ff7618 8bd7 e8???????? 8bd8 83c408 8bc2 8bcb }
            // n = 7, score = 200
            //   ff7618               | push                dword ptr [esi + 0x18]
            //   8bd7                 | mov                 edx, edi
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   83c408               | add                 esp, 8
            //   8bc2                 | mov                 eax, edx
            //   8bcb                 | mov                 ecx, ebx

        $sequence_7 = { ff75ec ff75e8 ff75fc ff75f8 ff7514 53 eb2a }
            // n = 7, score = 200
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   53                   | push                ebx
            //   eb2a                 | jmp                 0x2c

        $sequence_8 = { c3 8bff 55 8bec 5d e9???????? 6a00 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   5d                   | pop                 ebp
            //   e9????????           |                     
            //   6a00                 | push                0

        $sequence_9 = { ffb674040000 e8???????? 8bf8 83c408 85ff 0f8595000000 50 }
            // n = 7, score = 200
            //   ffb674040000         | push                dword ptr [esi + 0x474]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c408               | add                 esp, 8
            //   85ff                 | test                edi, edi
            //   0f8595000000         | jne                 0x9b
            //   50                   | push                eax

    condition:
        7 of them and filesize < 19405824
}
[TLP:WHITE] win_bit_rat_w0   (20200828 | String-based rule for detecting BitRAT malware payload)
rule win_bit_rat_w0 {
    meta:
        author = "KrabsOnSecurity"
        date = "2020-8-22"
        description = "String-based rule for detecting BitRAT malware payload"
        source = "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat"
    malpedia_version = "20200828"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
    strings:
        $tinynuke_paste1 = "TaskbarGlomLevel"
        $tinynuke_paste2 = "profiles.ini"
        $tinynuke_paste3 = "RtlCreateUserThread"
        $tinynuke_paste4 = "127.0.0.1"
        $tinynuke_paste5 = "Shell_TrayWnd"
        $tinynuke_paste6 = "cmd.exe /c start "
        $tinynuke_paste7 = "nss3.dll"
        $tinynuke_paste8 = "IsRelative="
        $tinynuke_paste9 = "-no-remote -profile "
        $tinynuke_paste10 = "AVE_MARIA"
        
        $commandline1 = "-prs" wide
        $commandline2 = "-wdkill" wide
        $commandline3 = "-uac" wide
        $commandline4 = "-fwa" wide
    condition:
        (8 of ($tinynuke_paste*)) and (3 of ($commandline*))
}
Download all Yara Rules