General

  • Target

    158D09A621F4B93E4646F709B49784186DCE026F69467.exe

  • Size

    879KB

  • Sample

    220111-jldxaafah8

  • MD5

    6dccc1cbf20e38f6ee3f2244b07fb503

  • SHA1

    b0e5f8c94bbdfc544a5940e81a36596f6d893d4d

  • SHA256

    158d09a621f4b93e4646f709b49784186dce026f69467a368fd24b48d9ce7664

  • SHA512

    5db5ca233b8239ff7351983b18daf0efb1f03bfb487dc3f279d1ca278aef6159ed1d772aeb21704684a2ba87015fec6e97cb8eebb8c5a0fb4e752f9878c805e0

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

serese.duckdns.org:55888

Attributes
  • communication_password

    0f594d0fb572cca8c709a1da375a8639

  • tor_process

    tor

Targets

    • Target

      158D09A621F4B93E4646F709B49784186DCE026F69467.exe

    • Size

      879KB

    • MD5

      6dccc1cbf20e38f6ee3f2244b07fb503

    • SHA1

      b0e5f8c94bbdfc544a5940e81a36596f6d893d4d

    • SHA256

      158d09a621f4b93e4646f709b49784186dce026f69467a368fd24b48d9ce7664

    • SHA512

      5db5ca233b8239ff7351983b18daf0efb1f03bfb487dc3f279d1ca278aef6159ed1d772aeb21704684a2ba87015fec6e97cb8eebb8c5a0fb4e752f9878c805e0

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Tasks