General

  • Target

    Inquiry 06 MAY 2022.doc

  • Size

    5KB

  • Sample

    220506-pskajahha7

  • MD5

    a9fc67f4ebc5c1d33bd153e7f70f5ab9

  • SHA1

    43c44e173b5099f1bd0bf5f36fdf3be46c33007b

  • SHA256

    ff6296c9c5d80fd9594c50eff2acaa4f77d76a06f27f7acb8056561fa9654fc3

  • SHA512

    6f9ae7bfba6f793141fb0dbf91719dfa2d18fd5838c7ff31a7060b8e88a6078223469a0bfbfdbffbebad1a4c0a8b6a7d5cf5fab6bff5e320243b60a7efc82ee8

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

37.0.11.155:4670

Attributes
  • communication_password

    31af2433c836721a29f5d8e94b790444

  • tor_process

    tor

Targets

    • Target

      Inquiry 06 MAY 2022.doc

    • Size

      5KB

    • MD5

      a9fc67f4ebc5c1d33bd153e7f70f5ab9

    • SHA1

      43c44e173b5099f1bd0bf5f36fdf3be46c33007b

    • SHA256

      ff6296c9c5d80fd9594c50eff2acaa4f77d76a06f27f7acb8056561fa9654fc3

    • SHA512

      6f9ae7bfba6f793141fb0dbf91719dfa2d18fd5838c7ff31a7060b8e88a6078223469a0bfbfdbffbebad1a4c0a8b6a7d5cf5fab6bff5e320243b60a7efc82ee8

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks