bitrat

General

Target

62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128
Size

5.1MB
Sample

220310-qsmakafcb7
MD5

2394239524d152a87311e91311ab0abb
SHA1

784942496518b70fce9b81d5e85c2ea95bb0c89b
SHA256

62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128
SHA512

d75ca0028286079fc592f0704077cdebcde4f9c55a11350df521d70a97169a12aef2275be8cd408132620f418f9f5c5833bf6b21e837615f80f3afb193a01bb6

Score

10^/10

Malware Config

Extracted

Family

bitrat

Version

1.35

C2

gumerez.xyz:1991

Attributes

communication_password
c3e91d7657b11293c58a2efd9aa9262d
tor_process
tor

Targets

- Target
  
  62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128
- Size
  
  5.1MB
- MD5
  
  2394239524d152a87311e91311ab0abb
- SHA1
  
  784942496518b70fce9b81d5e85c2ea95bb0c89b
- SHA256
  
  62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128
- SHA512
  
  d75ca0028286079fc592f0704077cdebcde4f9c55a11350df521d70a97169a12aef2275be8cd408132620f418f9f5c5833bf6b21e837615f80f3afb193a01bb6
Score

10^/10

bitrat r77 xmrig miner persistence rootkit trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Modifies WinLogon for persistence
  persistence
- r77
  r77 is an open-source, userland rootkit.
  rootkit r77
- r77 rootkit payload
  Detects the payload of the r77 rootkit.
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Modifies WinLogon for persistence

r77

r77 rootkit payload

xmrig

XMRig Miner Payload

Executes dropped EXE

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2