General

  • Target

    bc451f966a4fc42c7ec37a53ca7faf84be5f75e71ef68a0c11fcbad874aa8631

  • Size

    2.5MB

  • Sample

    220121-28a31scec6

  • MD5

    7a16c96ee575e39bb8bc49ba2c54f1b9

  • SHA1

    cce2f5c153235068de706ef5a524e7c28eda3827

  • SHA256

    bc451f966a4fc42c7ec37a53ca7faf84be5f75e71ef68a0c11fcbad874aa8631

  • SHA512

    38a04290f830d5bb5dd9e328c7123c519b5ab1d52f318cfa7e4119758708d0ac1a2065255b2bc92fe0edd5c27b9c91ad9607d0f82a1f8ee3c758cd9ca02776d7

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

jairoandresotalvarorend.linkpc.net:9082

Attributes
  • communication_password

    bfdba24ee3d61f0260c4dc1034c3ee43

  • install_dir

    sophosavsdefender

  • install_file

    sophosavsdefender.exe

  • tor_process

    tor

Targets

    • Target

      bc451f966a4fc42c7ec37a53ca7faf84be5f75e71ef68a0c11fcbad874aa8631

    • Size

      2.5MB

    • MD5

      7a16c96ee575e39bb8bc49ba2c54f1b9

    • SHA1

      cce2f5c153235068de706ef5a524e7c28eda3827

    • SHA256

      bc451f966a4fc42c7ec37a53ca7faf84be5f75e71ef68a0c11fcbad874aa8631

    • SHA512

      38a04290f830d5bb5dd9e328c7123c519b5ab1d52f318cfa7e4119758708d0ac1a2065255b2bc92fe0edd5c27b9c91ad9607d0f82a1f8ee3c758cd9ca02776d7

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks