135.148.74.241_HCrypt.zip

General
Target

135.148.74.241_HCrypt.zip

Size

3MB

Sample

220120-rwaxdaacgm

Score
10 /10
MD5

05536ec1dc249cc4289ce6b092dd9ab3

SHA1

2f3b53927e1073e68b62b6ef39e239064975dc2a

SHA256

d9b46632629c4859fc820c553f63130901419a511003584fd2c0ab468db5e5cc

SHA512

dd772cfedb0c432dc3cfde1ba2f381a4c78bd7b8c07bc6865c460dcd02cf29dbf4b8b1127dd35f72b332213a53c671b870304210ca8b38897f61f3a8412e82f4

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://135.148.74.241/PS1_B.txt

Extracted

Family bitrat
Version 1.38
C2

135.148.74.241:8080

Attributes
communication_password
f1c1592588411002af340cbaedd6fc33
tor_process
tor
Targets
Target

135.148.74.241_HCrypt/PS1.hta

MD5

37f9dc388fedc16b308acaadc34c2054

Filesize

3KB

Score
10/10
SHA1

25c936c0b399b82ad39363f6237fd5db13369bda

SHA256

f30cba9be2a7cf581939e7e7b958d5e0554265a685b3473947bf2c26679995d3

SHA512

f7a335e8b559079ea7b8d8d9341f0d13e3b7c23af4858d87f350df698f2580e83a7c3e84a69cdb003f83b68127a45943cfbb5cd11c44cc3a8446fb30ace85fc4

Tags

Signatures

  • BitRAT

    Description

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    Tags

  • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    Description

    suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    Tags

  • Blocklisted process makes network request

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

Target

135.148.74.241_HCrypt/new/ExeToHta.txt

MD5

5cdda3ce9f4ec5929f041ae1271d89cb

Filesize

87KB

Score
8/10
SHA1

18ad6442b91e80f3023056f8e7c34d4d50990b35

SHA256

d128aa6332948a130c38ebec9cb4a62b33aa9e0a530ed5c70f99e29a04b66c86

SHA512

ace13ce14aa31046bfd942ad41264367b0141cbda25a14e491699d9413107a11d0ee57e6cccf7404a2233c69961b2072c243db59197f9774566fcc0b64a35784

Tags

Signatures

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10

                    behavioral3

                    1/10

                    behavioral4

                    8/10