General

  • Target

    d38c5450042d5abed1dc9fb3ad31dace57016abad7365d16aab59982c61b9fec

  • Size

    2.2MB

  • Sample

    220121-23qaraceer

  • MD5

    7545c015bd1feba22347fcbe6e5e0a86

  • SHA1

    bcb1fd3b33f243ca8e2f3ac87e2700be8e04d002

  • SHA256

    d38c5450042d5abed1dc9fb3ad31dace57016abad7365d16aab59982c61b9fec

  • SHA512

    505b1867673c86e654cdd369332bad493100fb37d9f24cbe91855c98c2d70022eea92ec0eff6ea52f8eb723096d2709cb87e15f55701d834d213bf72619d16ed

Malware Config

Extracted

Family

bitrat

Version

1.35

C2

publiquilla.linkpc.net:9096

Attributes
  • communication_password

    bfdba24ee3d61f0260c4dc1034c3ee43

  • install_dir

    antivirusscamdefenderlogss

  • install_file

    antivirusscamdefenderlog.exe

  • tor_process

    tor

Targets

    • Target

      d38c5450042d5abed1dc9fb3ad31dace57016abad7365d16aab59982c61b9fec

    • Size

      2.2MB

    • MD5

      7545c015bd1feba22347fcbe6e5e0a86

    • SHA1

      bcb1fd3b33f243ca8e2f3ac87e2700be8e04d002

    • SHA256

      d38c5450042d5abed1dc9fb3ad31dace57016abad7365d16aab59982c61b9fec

    • SHA512

      505b1867673c86e654cdd369332bad493100fb37d9f24cbe91855c98c2d70022eea92ec0eff6ea52f8eb723096d2709cb87e15f55701d834d213bf72619d16ed

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks