9401cf9f73dfb187bf4cef05d8cfe72b

Target

Size

2MB

Sample

220107-p88cascfgq

Score

10 ^/10

MD5

9401cf9f73dfb187bf4cef05d8cfe72b

SHA1

4af6544d8c94bb673f826a0ba4d24698150b1089

SHA256

bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45

SHA512

8438c79aa1ac9779bdab11a3f46f174aad97a7bc2fd1f571d42ef8817dc8477b68468be7445c789d125c1b8749338e047e20301d0a11b9e52dacf947abb65dd4

Extracted

Family	bitrat
Version	1.38
C2	severdops.ddns.net:3071 severdops.ddns.net:3071
Attributes	communication_password 29ef52e7563626a96cea7f4b4085c124 tor_process tor

Target

9401cf9f73dfb187bf4cef05d8cfe72b

MD5

9401cf9f73dfb187bf4cef05d8cfe72b

Filesize

2MB

Score

10^/10

SHA1

4af6544d8c94bb673f826a0ba4d24698150b1089

SHA256

bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45

SHA512

8438c79aa1ac9779bdab11a3f46f174aad97a7bc2fd1f571d42ef8817dc8477b68468be7445c789d125c1b8749338e047e20301d0a11b9e52dacf947abb65dd4

Signatures

BitRAT
Description

BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
Tags

trojan bitrat
Windows security bypass
Tags

evasion trojan

TTPs

Disabling Security ToolsModify Registry
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Description

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Tags

suricata
Looks for VirtualBox Guest Additions in registry
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Looks for VMWare Tools registry key
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
UPX packed file
Description

Detects executables packed with UPX/modified UPX open source packer.
Tags

upx
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Uses the VBS compiler for execution
TTPs

Scripting
Windows security modification
Tags

evasion trojan

TTPs

Disabling Security ToolsModify Registry
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Maps connected drives based on registry
Description

Disk information is often read in order to detect sandboxing environments.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

static1

behavioral1

bitrat evasion persistence suricata trojan upx

10^/10

behavioral2

bitrat evasion persistence suricata trojan upx

10^/10

Extracted

Tags

Signatures

BitRAT

Description

Tags

Windows security bypass

Tags

TTPs

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

Description

Tags

Looks for VirtualBox Guest Additions in registry

Tags

TTPs

Looks for VMWare Tools registry key

Tags

TTPs

UPX packed file

Description

Tags

Checks BIOS information in registry

Description

TTPs

Uses the VBS compiler for execution

TTPs

Windows security modification

Tags

TTPs

Adds Run key to start application

Tags

TTPs

Maps connected drives based on registry

Description

TTPs

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2