General

  • Target

    Gkkkaytp.exe

  • Size

    3.1MB

  • Sample

    220507-eq4ahsdhgr

  • MD5

    58b756316b232975a709148b774bd66c

  • SHA1

    4263dc71f89dfba45d79647d5ca73cd7841b039b

  • SHA256

    39d180e2f5c447706ad8e4f2fc0a86c2cbd586426dd1343f37f3008569f1a60b

  • SHA512

    65b3b7ac35b0dd92ca85ce08d521e05d66009ee7c3de8dc9663013855c064e936f1c6848e261b7aa953cb3d77acfdc433906d5d201955daea29187e4b301c6a8

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

212.193.30.54:3680

Attributes
  • communication_password

    46821e93230f353d5c46240b0462a0fe

  • tor_process

    tor

Targets

    • Target

      Gkkkaytp.exe

    • Size

      3.1MB

    • MD5

      58b756316b232975a709148b774bd66c

    • SHA1

      4263dc71f89dfba45d79647d5ca73cd7841b039b

    • SHA256

      39d180e2f5c447706ad8e4f2fc0a86c2cbd586426dd1343f37f3008569f1a60b

    • SHA512

      65b3b7ac35b0dd92ca85ce08d521e05d66009ee7c3de8dc9663013855c064e936f1c6848e261b7aa953cb3d77acfdc433906d5d201955daea29187e4b301c6a8

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks