General

  • Target

    Cjryjsra.exe

  • Size

    3.2MB

  • Sample

    220512-ts9bwaefgp

  • MD5

    04b92d276e5e29aaef5069087a1d25d3

  • SHA1

    b3c133b9a56767f934b0bac585c7e6f7dcb92d9a

  • SHA256

    fc31934152ea6e5d60c4ee949140d28b2cfe30764451f0c6d62ee2945490656d

  • SHA512

    c70b4f7ef2ae8c9533d6b464f367d15e38e03df080f06b024134ee7f3f566d6dc209aec205f796bac7acd0bcee629eb676c80695b35cbff4c229faf4295afb83

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

212.193.30.54:3680

Attributes
  • communication_password

    46821e93230f353d5c46240b0462a0fe

  • tor_process

    tor

Targets

    • Target

      Cjryjsra.exe

    • Size

      3.2MB

    • MD5

      04b92d276e5e29aaef5069087a1d25d3

    • SHA1

      b3c133b9a56767f934b0bac585c7e6f7dcb92d9a

    • SHA256

      fc31934152ea6e5d60c4ee949140d28b2cfe30764451f0c6d62ee2945490656d

    • SHA512

      c70b4f7ef2ae8c9533d6b464f367d15e38e03df080f06b024134ee7f3f566d6dc209aec205f796bac7acd0bcee629eb676c80695b35cbff4c229faf4295afb83

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks