bitrat | e3c21f2f79c6a027881f1b74728c61d4fbb6fe6921f8840ce2dc11aabc9ceaa4 | Triage

Submit
Reports

Overview

overview

Static

static

8B664F8A44...11.exe

windows7_x64

Sharing

General

Target

8B664F8A44DCB056095BC43BCB854C11.exe
Size

8.8MB
Sample

220111-pq8kcafhap
MD5

8b664f8a44dcb056095bc43bcb854c11
SHA1

3f54621b0fd5bb9ae4f20c41fdc937a6654f9269
SHA256

e3c21f2f79c6a027881f1b74728c61d4fbb6fe6921f8840ce2dc11aabc9ceaa4
SHA512

71d2a1359a7ff610d3b64eeeebc406ca2b00139db0b73484a679563eb5424a7fbd194dde7f2cca0cee6f5f240f58f2541e809d2d880dc32b7f6009335e066d51

Score

10^/10

bitrat redline pub work10 evasion infostealer persistence themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

8B664F8A44DCB056095BC43BCB854C11.exe

Resource

win7-en-20211208

bitrat redline pub work10 evasion infostealer persistence themida trojan

windows7_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

bitrat

Version

1.33

C2

89.163.140.102:1234

Attributes

communication_password
8c249675aea6c3cbd91661bbae767ff1
tor_process
tor

Extracted

Family

redline

Botnet

pub

C2

185.153.198.36:81

Extracted

Family

redline

Botnet

work10

C2

185.250.151.29:42520

Targets

- Target
  
  8B664F8A44DCB056095BC43BCB854C11.exe
- Size
  
  8.8MB
- MD5
  
  8b664f8a44dcb056095bc43bcb854c11
- SHA1
  
  3f54621b0fd5bb9ae4f20c41fdc937a6654f9269
- SHA256
  
  e3c21f2f79c6a027881f1b74728c61d4fbb6fe6921f8840ce2dc11aabc9ceaa4
- SHA512
  
  71d2a1359a7ff610d3b64eeeebc406ca2b00139db0b73484a679563eb5424a7fbd194dde7f2cca0cee6f5f240f58f2541e809d2d880dc32b7f6009335e066d51
Score

10^/10

bitrat redline pub work10 evasion infostealer persistence themida trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Modifies WinLogon for persistence
  persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Executes dropped EXE
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

bitratredlinepubwork10evasioninfostealerpersistencethemidatrojan

© 2018-2024

Terms | Privacy