General

  • Target

    bfb6a36e1eafd449e5614ccf2f299ada.exe

  • Size

    48KB

  • Sample

    220504-nt2ersgdbq

  • MD5

    bfb6a36e1eafd449e5614ccf2f299ada

  • SHA1

    f4c9c1dd68179fd2200fc901aac9f474222d26dd

  • SHA256

    00286bed05e99217e33ec5b564dd3fdbce80effc233616bab21a26814d8e7009

  • SHA512

    49370535292ebc6ade25a9c8757abf528e2402868a2d8235d6d6e9f0507700d681f3004c22e4ede84c72d21656532ba5386a6cdcc55ba8fe50ecbfeff9946582

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

nuevocomienzo.con-ip.com:3005

Attributes
  • communication_password

    202cb962ac59075b964b07152d234b70

  • tor_process

    tor

Targets

    • Target

      bfb6a36e1eafd449e5614ccf2f299ada.exe

    • Size

      48KB

    • MD5

      bfb6a36e1eafd449e5614ccf2f299ada

    • SHA1

      f4c9c1dd68179fd2200fc901aac9f474222d26dd

    • SHA256

      00286bed05e99217e33ec5b564dd3fdbce80effc233616bab21a26814d8e7009

    • SHA512

      49370535292ebc6ade25a9c8757abf528e2402868a2d8235d6d6e9f0507700d681f3004c22e4ede84c72d21656532ba5386a6cdcc55ba8fe50ecbfeff9946582

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks