General

  • Target

    1cd30f9b6de43c81f5b891833cd22d0d.exe

  • Size

    3.3MB

  • Sample

    220513-rszrbsgea8

  • MD5

    1cd30f9b6de43c81f5b891833cd22d0d

  • SHA1

    e6cadd792590770e30781ca35ea4e5232114ca5f

  • SHA256

    afee0b3d9b0d5b49066b1c30caa599cfda93d070170ef5e30d33e534cb185eb2

  • SHA512

    7aa03c588c44a76826260fb2ddd703d922bed05c8ff45bae644c4f56574b83f7b3326389b15db8eff1a1c8f074d6f9303ecd7cb2951dcff4ee7371f07fd3b7fb

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

37.0.11.155:4670

Attributes
  • communication_password

    31af2433c836721a29f5d8e94b790444

  • tor_process

    tor

Targets

    • Target

      1cd30f9b6de43c81f5b891833cd22d0d.exe

    • Size

      3.3MB

    • MD5

      1cd30f9b6de43c81f5b891833cd22d0d

    • SHA1

      e6cadd792590770e30781ca35ea4e5232114ca5f

    • SHA256

      afee0b3d9b0d5b49066b1c30caa599cfda93d070170ef5e30d33e534cb185eb2

    • SHA512

      7aa03c588c44a76826260fb2ddd703d922bed05c8ff45bae644c4f56574b83f7b3326389b15db8eff1a1c8f074d6f9303ecd7cb2951dcff4ee7371f07fd3b7fb

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks