General

  • Target

    Btecz.exe

  • Size

    3.0MB

  • Sample

    220506-pt7r8ahhb4

  • MD5

    7539d0480133c9b3be4c5a71cc9151b3

  • SHA1

    7d2057acf324790c68ee6d4ac711536120e0d35f

  • SHA256

    f4288442baa9970c87a94055eba6813e3c1cbb2b5df728bfa1780f646db2c7dd

  • SHA512

    b23c037b2674d0d6d8d02e1dccf582f4406c5ed33dd420797663fa9f2dad61f404adfcdab7f0b27929f9dcba050a12072b1a18e2b229a10af3f76bd935cdd92b

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

37.0.11.155:4670

Attributes
  • communication_password

    31af2433c836721a29f5d8e94b790444

  • tor_process

    tor

Targets

    • Target

      Btecz.exe

    • Size

      3.0MB

    • MD5

      7539d0480133c9b3be4c5a71cc9151b3

    • SHA1

      7d2057acf324790c68ee6d4ac711536120e0d35f

    • SHA256

      f4288442baa9970c87a94055eba6813e3c1cbb2b5df728bfa1780f646db2c7dd

    • SHA512

      b23c037b2674d0d6d8d02e1dccf582f4406c5ed33dd420797663fa9f2dad61f404adfcdab7f0b27929f9dcba050a12072b1a18e2b229a10af3f76bd935cdd92b

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks