General

  • Target

    8f161c203384b95bc5b20e122a9c1c68

  • Size

    323KB

  • Sample

    220120-xnpy8abbfl

  • MD5

    8f161c203384b95bc5b20e122a9c1c68

  • SHA1

    c72b4a03fef8c75ff0aab7bd97722249c9334ab0

  • SHA256

    4ea881ce90cbf4c9f6f26b940e062bbd147531c6754390f7e61784d892b54668

  • SHA512

    5b057a81759833c140153d4154f03ec6f0d544411f6739310b0c9f271b77d613c50062076a9aec951a527fed3aa55cc9d2fdd2a9bdd337912e020cd986066587

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

utfghjhkyut.duckdns.org:1882

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • install_dir

    AppData

  • install_file

    chrome.exe

  • tor_process

    tor

Targets

    • Target

      8f161c203384b95bc5b20e122a9c1c68

    • Size

      323KB

    • MD5

      8f161c203384b95bc5b20e122a9c1c68

    • SHA1

      c72b4a03fef8c75ff0aab7bd97722249c9334ab0

    • SHA256

      4ea881ce90cbf4c9f6f26b940e062bbd147531c6754390f7e61784d892b54668

    • SHA512

      5b057a81759833c140153d4154f03ec6f0d544411f6739310b0c9f271b77d613c50062076a9aec951a527fed3aa55cc9d2fdd2a9bdd337912e020cd986066587

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks