General

  • Target

    d7ab9ebf86b0d1e2121a7312db4a94fac78942f05e8fe99a531213b618d7b925

  • Size

    2.3MB

  • Sample

    220121-22rgescbe8

  • MD5

    3a5142595acc5bc1445ae775bb4dd58c

  • SHA1

    4455feead6c4aed1a7a5ed2b820df9a0f3740676

  • SHA256

    d7ab9ebf86b0d1e2121a7312db4a94fac78942f05e8fe99a531213b618d7b925

  • SHA512

    bb74bc7edb11ff4d8ff828077584d3e6ad9066e956fc6c4fbf6eeb99e5cdbe0986d7682083cffa4d3c7fb97d8732c04886fb0ef26f10a40516fd6515ae7bd5c6

Malware Config

Extracted

Family

bitrat

Version

1.35

C2

publiquilla.linkpc.net:9097

Attributes
  • communication_password

    bfdba24ee3d61f0260c4dc1034c3ee43

  • install_dir

    System320772736e3b1d119b3

  • install_file

    System320772736e3b1d119b.exe

  • tor_process

    tor

Targets

    • Target

      d7ab9ebf86b0d1e2121a7312db4a94fac78942f05e8fe99a531213b618d7b925

    • Size

      2.3MB

    • MD5

      3a5142595acc5bc1445ae775bb4dd58c

    • SHA1

      4455feead6c4aed1a7a5ed2b820df9a0f3740676

    • SHA256

      d7ab9ebf86b0d1e2121a7312db4a94fac78942f05e8fe99a531213b618d7b925

    • SHA512

      bb74bc7edb11ff4d8ff828077584d3e6ad9066e956fc6c4fbf6eeb99e5cdbe0986d7682083cffa4d3c7fb97d8732c04886fb0ef26f10a40516fd6515ae7bd5c6

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks