bitrat

Sharing

Copy URL

Twitter E-mail

General

Target

c463b07c6e61aeb24a8f3a06dae3bd1c.exe
Size

160KB
Sample

211101-mp84dahfc2
MD5

c463b07c6e61aeb24a8f3a06dae3bd1c
SHA1

c8e1aff3d845ef393a58f6c76eab6742fb672cb1
SHA256

acca11a2d0fc746a66b352eec2ebe5f4b48abd4d37f6ff433199f627312c65a0
SHA512

884375c632309f1152a8bff0295023c0f3990bc7d1fd91d00c4d7e65c2540763376fd7881ebf12778ea8ace3dbdb36176a5b0f40da4c33d668086cae6c5c3e75

Malware Config

Extracted

Family

smokeloader

Version

2020

http://honawey70.top/

http://wijibui00.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/

http://193.56.146.214/

https://193.56.146.214/

rc4.i32

Extracted

Family

tofsee

quadoil.ru

lakeflex.ru

Extracted

Family

redline

Botnet

185.183.32.161:45391

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes

url4cnc
http://telegin.top/capibar
http://ttmirror.top/capibar
http://teletele.top/capibar
http://telegalive.top/capibar
http://toptelete.top/capibar
http://telegraf.top/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

redline

Botnet

123123123

93.115.20.139:28978

Extracted

Family

raccoon

Botnet

68e2d75238f7c69859792d206401b6bde2b2515c

Attributes

url4cnc
http://telegalive.top/agrybirdsgamerept
http://toptelete.top/agrybirdsgamerept
http://telegraf.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

raccoon

Botnet

a8df9e1d3d24b04502963590a8ed392d88ab1b96

Attributes

url4cnc
http://telegin.top/opticillusionlusy
http://ttmirror.top/opticillusionlusy
http://teletele.top/opticillusionlusy
http://telegalive.top/opticillusionlusy
http://toptelete.top/opticillusionlusy
http://telegraf.top/opticillusionlusy
https://t.me/opticillusionlusy

rc4.plain

Extracted

Family

vidar

Version

41.6

Botnet

936

https://mas.to/@lilocc

Attributes

profile_id
936

Targets

- Target
  
  c463b07c6e61aeb24a8f3a06dae3bd1c.exe
- Size
  
  160KB
- MD5
  
  c463b07c6e61aeb24a8f3a06dae3bd1c
- SHA1
  
  c8e1aff3d845ef393a58f6c76eab6742fb672cb1
- SHA256
  
  acca11a2d0fc746a66b352eec2ebe5f4b48abd4d37f6ff433199f627312c65a0
- SHA512
  
  884375c632309f1152a8bff0295023c0f3990bc7d1fd91d00c4d7e65c2540763376fd7881ebf12778ea8ace3dbdb36176a5b0f40da4c33d668086cae6c5c3e75
Score

10^/10

raccoon redline smokeloader tofsee v5 backdoor evasion infostealer persistence stealer trojan bitrat vidar xenarmor xmrig 123123123 68e2d75238f7c69859792d206401b6bde2b2515c 8dec62c1db2959619dca43e02fa46ad7bd606400 936 a8df9e1d3d24b04502963590a8ed392d88ab1b96 superstar discovery miner password recovery spyware
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- BitRAT Payload
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Windows security bypass
  evasion trojan
- XenArmor Suite
  XenArmor is as suite of password recovery tools for various application.
  recovery password xenarmor
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- XMRig Miner Payload
  miner
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

BitRAT Payload

Raccoon

RedLine

RedLine Payload

SmokeLoader

Suspicious use of NtCreateProcessExOtherParentProcess

Tofsee

Vidar

Windows security bypass

XenArmor Suite

xmrig

ACProtect 1.3x - 1.4x DLL software

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

XMRig Miner Payload

Creates new service(s)

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2