General

  • Target

    BEIAKO93ND6_PAYMENT_COPY.zip

  • Size

    1.8MB

  • Sample

    220511-ge513sfgh5

  • MD5

    fe9e747871ed7c17560df13fce52a9ab

  • SHA1

    b091f80e9263a373a401e595e635aa773829e4d8

  • SHA256

    e1433f76a11970aa6afb5939d724025e0b0135074e80105ed78c22ffc3f4a614

  • SHA512

    b79d5499982ee3d319ad653662c68b14725634cc985d6451de58017bb951a6ffa99e3e2f269e5f11aa441db0dd681ea65252b3d7752684129d14d42c19da552c

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Targets

    • Target

      BEIAKO93ND6_PAYMENT_COPY.exe

    • Size

      300.0MB

    • MD5

      d525694b79770baf6abd392e66717959

    • SHA1

      87def261c5585e0da14aa652ef3994690134285c

    • SHA256

      95a132fc2f847d2e269a626f9f9753fcf85ceefe27d96363bbb1fbcc94c79f05

    • SHA512

      616f77f999f6600b62136b9729447eb5b21b040c7ce08aa0e81e445c7602dfda135986fc5c03fa7a5d72f0d9d47ebf5f9437769d53beee48ab67b26ce5e6da8c

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks