bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45

General
Target

bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45

Size

2MB

Sample

220107-qb9drscfgr

Score
10 /10
MD5

9401cf9f73dfb187bf4cef05d8cfe72b

SHA1

4af6544d8c94bb673f826a0ba4d24698150b1089

SHA256

bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45

SHA512

8438c79aa1ac9779bdab11a3f46f174aad97a7bc2fd1f571d42ef8817dc8477b68468be7445c789d125c1b8749338e047e20301d0a11b9e52dacf947abb65dd4

Malware Config

Extracted

Family bitrat
Version 1.38
C2

severdops.ddns.net:3071

Attributes
communication_password
29ef52e7563626a96cea7f4b4085c124
tor_process
tor
Targets
Target

bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45

MD5

9401cf9f73dfb187bf4cef05d8cfe72b

Filesize

2MB

Score
10/10
SHA1

4af6544d8c94bb673f826a0ba4d24698150b1089

SHA256

bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45

SHA512

8438c79aa1ac9779bdab11a3f46f174aad97a7bc2fd1f571d42ef8817dc8477b68468be7445c789d125c1b8749338e047e20301d0a11b9e52dacf947abb65dd4

Tags

Signatures

  • BitRAT

    Description

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    Description

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    Tags

  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery
  • Windows security modification

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1