Resubmissions

19-01-2022 20:28

220119-y83aqachhm 10

General

  • Target

    e-transfer.img

  • Size

    300MB

  • Sample

    220119-y83aqachhm

  • MD5

    de3a4c3319fffd14a016b32e59ded549

  • SHA1

    03fdb123f412cad89a9dcf33f54a85b31de7221c

  • SHA256

    35da1611e4771602b021b682b95550c90fe8c31ea1367a74d329a6f9e8768021

  • SHA512

    73bac9d70a218253c1e3cba2c0a5499e033c6998775fb84125400d5df5f6bc665da304a484a9191526dafba590012afda353b555d654a788f9555f2848c4d15f

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

yakbitpeople.duckdns.org:9175

Attributes
  • communication_password

    827ccb0eea8a706c4c34a16891f84e7b

  • tor_process

    tor

Targets

    • Target

      E_TRANSF.EXE

    • Size

      300MB

    • MD5

      affebb601f181b9c290753caae06050a

    • SHA1

      64942ee5d84b1a2262d02a1dd0ae1aa6e8b66486

    • SHA256

      e2ce88575e964545d834e0bae841ec554b02fa4a290e645e19cb7556123bb49e

    • SHA512

      3870beafddb9972863a2b0d74eeded9bd21eb3b8c13563808754927ce3a29579adad56e7eb3bc37b4777cb16caea0d9d5d233b01432aa42fe0c5ecafc3c025b2

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks