General

  • Target

    9618345aad276496e7d33d390a0cdf5e

  • Size

    322KB

  • Sample

    220120-zwc1qsbfg9

  • MD5

    9618345aad276496e7d33d390a0cdf5e

  • SHA1

    49ea625e58a17a1992c767fc7afb137dbfd0419a

  • SHA256

    dc9ddeb5493a529530acf29a62a5de10bef65ffb22ebea264818058bf9223ae6

  • SHA512

    9c4d96bba45a6e589d597277d8454a89781a53b0b6419b4f4ef04f02576a424f7efdc5a9c4f5a426742544d6d054b1ab14aebad6a6a6a355c8c3a0345778ca6d

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

20deenero.con-ip.com:3005

Attributes
  • communication_password

    202cb962ac59075b964b07152d234b70

  • install_dir

    AppData

  • install_file

    chrome.exe

  • tor_process

    tor

Targets

    • Target

      9618345aad276496e7d33d390a0cdf5e

    • Size

      322KB

    • MD5

      9618345aad276496e7d33d390a0cdf5e

    • SHA1

      49ea625e58a17a1992c767fc7afb137dbfd0419a

    • SHA256

      dc9ddeb5493a529530acf29a62a5de10bef65ffb22ebea264818058bf9223ae6

    • SHA512

      9c4d96bba45a6e589d597277d8454a89781a53b0b6419b4f4ef04f02576a424f7efdc5a9c4f5a426742544d6d054b1ab14aebad6a6a6a355c8c3a0345778ca6d

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Tasks