General

  • Target

    ServerA.ps1

  • Size

    3.1MB

  • Sample

    220506-pjwxzacefl

  • MD5

    3f59a9879c3bc01904de54cc4666d249

  • SHA1

    dd917cf50955fcd14b4d36b5900c869eb61f220f

  • SHA256

    eb2b24470ff5572e47f2e39e4557f35a01233c68ce9b9db6b5eada127108d6ad

  • SHA512

    8565d33a97f8a7fd1faa11635edd514a4c6febf070cc01af3064616ea2acb3dadb3289ed5ecb8c12282638442b7850215d516595f6294980ac78a64eb73438bf

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Targets

    • Target

      ServerA.ps1

    • Size

      3.1MB

    • MD5

      3f59a9879c3bc01904de54cc4666d249

    • SHA1

      dd917cf50955fcd14b4d36b5900c869eb61f220f

    • SHA256

      eb2b24470ff5572e47f2e39e4557f35a01233c68ce9b9db6b5eada127108d6ad

    • SHA512

      8565d33a97f8a7fd1faa11635edd514a4c6febf070cc01af3064616ea2acb3dadb3289ed5ecb8c12282638442b7850215d516595f6294980ac78a64eb73438bf

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks