General

  • Target

    Serve.ps1

  • Size

    3.1MB

  • Sample

    220506-pjbl2aceer

  • MD5

    d65de7524197d0d296a3d5e4c85c35bc

  • SHA1

    bd826cf86b3acfb45ea500d0bc731c40a7fa737b

  • SHA256

    32c17b45985fbefcf67e054af34e00eb56c0577edfa13d03abb2b8d8e041a513

  • SHA512

    b784fd4606e2626749babbb3debc5116796ce012257fa6400589df4501b29be01618aeaa7028d30f64d29c17eed6d1323eee670715ba2a3f4e0ed4c23e121876

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitratnew9100.duckdns.org:9100

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Targets

    • Target

      Serve.ps1

    • Size

      3.1MB

    • MD5

      d65de7524197d0d296a3d5e4c85c35bc

    • SHA1

      bd826cf86b3acfb45ea500d0bc731c40a7fa737b

    • SHA256

      32c17b45985fbefcf67e054af34e00eb56c0577edfa13d03abb2b8d8e041a513

    • SHA512

      b784fd4606e2626749babbb3debc5116796ce012257fa6400589df4501b29be01618aeaa7028d30f64d29c17eed6d1323eee670715ba2a3f4e0ed4c23e121876

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks