General

  • Target

    DHL Shipment Note.exe

  • Size

    267KB

  • Sample

    220108-jj9aeadcdn

  • MD5

    088ef2cfabd6e8b52832f5e358bfff6b

  • SHA1

    4c389ccc2ac9809b315b5ba1b3d3fe3edcf9876d

  • SHA256

    3bdd75cf5a2b26bbf10f298f3071b2d7c7a79b33f880eb3f26c3276baceaac1f

  • SHA512

    0101392d09c48ab7d70582f267dc86d765c77161cfc34ec8cc0ff0a527a46178b4c487a0810a946caab28c4ae6d03cb7134dad0dee13e5563a53135b1c1f992c

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

severdops.ddns.net:3071

Attributes
  • communication_password

    29ef52e7563626a96cea7f4b4085c124

  • install_dir

    msWORLD

  • install_file

    excel.exe

  • tor_process

    tor

Targets

    • Target

      DHL Shipment Note.exe

    • Size

      267KB

    • MD5

      088ef2cfabd6e8b52832f5e358bfff6b

    • SHA1

      4c389ccc2ac9809b315b5ba1b3d3fe3edcf9876d

    • SHA256

      3bdd75cf5a2b26bbf10f298f3071b2d7c7a79b33f880eb3f26c3276baceaac1f

    • SHA512

      0101392d09c48ab7d70582f267dc86d765c77161cfc34ec8cc0ff0a527a46178b4c487a0810a946caab28c4ae6d03cb7134dad0dee13e5563a53135b1c1f992c

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks