General

  • Target

    46384028b4c21ce3ed937de84665be89cb78cad140c85a63806f7ebf0a23ce88

  • Size

    2.0MB

  • Sample

    220130-sj4vcsdeh5

  • MD5

    9edc6bd6360c3d3e593e6f63353fe45a

  • SHA1

    9f305ba70a0b5056dd1934a83acfb7cc04618de6

  • SHA256

    46384028b4c21ce3ed937de84665be89cb78cad140c85a63806f7ebf0a23ce88

  • SHA512

    b1ea3103dfabba16fc3169eb5105fa4d22573d4f62beba0c1d99fae7500a8cf9ecc4330f0058fa363bb607f7cee6365e0eeb6471c3606097625a81132213aa69

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

jairoandresotalvarorend.linkpc.net:9085

Attributes
  • communication_password

    bfdba24ee3d61f0260c4dc1034c3ee43

  • install_dir

    Googlechromeinite

  • install_file

    Googlechromeinit.exe

  • tor_process

    tor

Targets

    • Target

      46384028b4c21ce3ed937de84665be89cb78cad140c85a63806f7ebf0a23ce88

    • Size

      2.0MB

    • MD5

      9edc6bd6360c3d3e593e6f63353fe45a

    • SHA1

      9f305ba70a0b5056dd1934a83acfb7cc04618de6

    • SHA256

      46384028b4c21ce3ed937de84665be89cb78cad140c85a63806f7ebf0a23ce88

    • SHA512

      b1ea3103dfabba16fc3169eb5105fa4d22573d4f62beba0c1d99fae7500a8cf9ecc4330f0058fa363bb607f7cee6365e0eeb6471c3606097625a81132213aa69

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks