General

  • Target

    4136661e8a9689aca8802518294b02fe.exe

  • Size

    2.2MB

  • Sample

    220107-rb4zqaccg9

  • MD5

    4136661e8a9689aca8802518294b02fe

  • SHA1

    3f43207a00cd456fd54e783e95b20a849c09961b

  • SHA256

    32ca272da062d0997c8131b5488af9858420cb97ab7d67fb911afc37d45e4788

  • SHA512

    6d9290a19be178c2e561bb9209ee5bf7309a8d89922ebc3cc200756d6e85058aedce1a3df6c45149f2c677f61c98b8fee943d31807aece251799710ae42ec82e

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

91.243.32.131:80

Attributes
  • communication_password

    202cb962ac59075b964b07152d234b70

  • install_dir

    Defenderzone

  • install_file

    syspro.exe

  • tor_process

    tor

Targets

    • Target

      4136661e8a9689aca8802518294b02fe.exe

    • Size

      2.2MB

    • MD5

      4136661e8a9689aca8802518294b02fe

    • SHA1

      3f43207a00cd456fd54e783e95b20a849c09961b

    • SHA256

      32ca272da062d0997c8131b5488af9858420cb97ab7d67fb911afc37d45e4788

    • SHA512

      6d9290a19be178c2e561bb9209ee5bf7309a8d89922ebc3cc200756d6e85058aedce1a3df6c45149f2c677f61c98b8fee943d31807aece251799710ae42ec82e

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • mimikatz is an open source tool to dump credentials on Windows

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks