Resubmissions

23-12-2021 11:09

211223-m84m1aadej 10

23-12-2021 08:55

211223-kvgj7sabdn 10

General

  • Target

    jogb

  • Size

    2.3MB

  • Sample

    211223-kvgj7sabdn

  • MD5

    cf11336d198c7034cb4e2a28c04d8898

  • SHA1

    50363fb0351f85d10faa9fd2729129f8753ab60f

  • SHA256

    892fe797710cbdda052f494e1979a339c14f96220d3d1a7c51d4f28ef47385de

  • SHA512

    a35a642a5aaa42b446b480ae63b9cddf3da4ef3720e71e65092ac36c497956cff06587da171145e53b189cb0ff10b65925e21eeb7ba15c38ad8920533099a43c

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

2.56.57.68:3678

Attributes
  • communication_password

    46821e93230f353d5c46240b0462a0fe

  • tor_process

    tor

Targets

    • Target

      jogb

    • Size

      2.3MB

    • MD5

      cf11336d198c7034cb4e2a28c04d8898

    • SHA1

      50363fb0351f85d10faa9fd2729129f8753ab60f

    • SHA256

      892fe797710cbdda052f494e1979a339c14f96220d3d1a7c51d4f28ef47385de

    • SHA512

      a35a642a5aaa42b446b480ae63b9cddf3da4ef3720e71e65092ac36c497956cff06587da171145e53b189cb0ff10b65925e21eeb7ba15c38ad8920533099a43c

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks