General

  • Target

    6fef760b228bf8b61e7e9d1591ddec09

  • Size

    42KB

  • Sample

    220505-wlh78abbcp

  • MD5

    6fef760b228bf8b61e7e9d1591ddec09

  • SHA1

    8a5e948bf1f7eba603e49e413fbf5afca4134be9

  • SHA256

    9468b818e8113dd4b056765080af10d530bdbe521cc26157b833ea1b51186927

  • SHA512

    a9e16c34ead7884568d59b415575ccbd162fe85d9af03bddc650e07b6abbaf8ec902d284b461f34c7986d2cd9c4cbc6da7b35e8fee173d9ca0d2ff07dfcbaae5

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

fshdshsegsgsg.duckdns.org:1882

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • tor_process

    tor

Targets

    • Target

      6fef760b228bf8b61e7e9d1591ddec09

    • Size

      42KB

    • MD5

      6fef760b228bf8b61e7e9d1591ddec09

    • SHA1

      8a5e948bf1f7eba603e49e413fbf5afca4134be9

    • SHA256

      9468b818e8113dd4b056765080af10d530bdbe521cc26157b833ea1b51186927

    • SHA512

      a9e16c34ead7884568d59b415575ccbd162fe85d9af03bddc650e07b6abbaf8ec902d284b461f34c7986d2cd9c4cbc6da7b35e8fee173d9ca0d2ff07dfcbaae5

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks