General

  • Target

    7425996153.zip

  • Size

    2KB

  • Sample

    220504-z5fg8ahdfn

  • MD5

    7423624b7905adfb9dfb0d6848c37025

  • SHA1

    1050577e5e0c4d44d494708fd4f396760f6d460a

  • SHA256

    2200669f7c1b495f4d7b777e73990d8b9eda12a54d21f8c631506189420893f0

  • SHA512

    24ae400ba5852e39258e539526098a1be649f8e72fad94a3cb374bd83676cb7ebf2077f3ac52ea124ed21a1dbbf03742f3df0f1cf17017fdc00bdeee7b74ad47

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Targets

    • Target

      XNSRUYFKNNERWHVPOJCOXE_COPY.VBS

    • Size

      3KB

    • MD5

      781f4029ef1ea2427f10e4487490b587

    • SHA1

      3d043aa3fb1fda09902a8123864ded866f68566a

    • SHA256

      b6f3c3dd20c8bc610be775141a62cd8020a7068b497c68e1239a7e60ddd31e0d

    • SHA512

      a26468a076effa9bcfd403d57c145df21cfffedd19d4a9e0ad99c92650a690dc9aff0edeb2fa42a28679de79c4d9aa666b65576b6075947e7f6e6f143e719336

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • Blocklisted process makes network request

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks