General

  • Target

    2.7z

  • Size

    2KB

  • Sample

    220507-f1nhgscae5

  • MD5

    36ffc07a4628f819e120490dc20a9a17

  • SHA1

    ec010b0524cab86c1faa27dc329162800dc1a9c5

  • SHA256

    eba1a0340775b4b2bb9745173d5dea62994298d756bb1a4b1ec7b6a12646be7b

  • SHA512

    ce6d77ab5edf89adef4b7dd11bf612a83bd0717075eb7dc6281d0358f3276d2509a88bf77b465b6ce60039b25fc39b95facace9a5dadb57fbd68a41a19732ef2

Score
10/10

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitratnew9200.duckdns.org:9200

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Targets

    • Target

      2/51e7af4931cfea559a0d19abd4f57547.hta

    • Size

      3KB

    • MD5

      51e7af4931cfea559a0d19abd4f57547

    • SHA1

      cfa2d2e96f2b526beb5d9cf914d6c9a596ee722f

    • SHA256

      f08e57482a2a97c1c1d0cfe5afe3557566e05a3e787df3cdb8112db6cac51e5f

    • SHA512

      92723c9e0ca919faeb839023bbcce94385c64123a5f407f00113996bb761b063b49721ab03bcce9a13148d6419da19609ca37730ba3ded252faee1ad8afab812

    Score
    10/10
    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      2/6fe64e0e9bc585df185a1378b9bed369.hta

    • Size

      3KB

    • MD5

      6fe64e0e9bc585df185a1378b9bed369

    • SHA1

      f827f7af161f25c5637eddfe8ffbf56710d174f0

    • SHA256

      30e3fc505ce3b7051c6dcff85c9a8d76e0a8e64f28a74b1b842b6b0eeadab13c

    • SHA512

      1edcebbbc39a8b5967ea906d116f5b004c95ac869619a3b069bc2c424fdb89a8efdbe1e4ae70191d5acd082f3cc07fa97feb0ebd57863445577b98e83aec3b05

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks