General

  • Target

    PVKGH03HJWERN.zip

  • Size

    1.8MB

  • Sample

    220513-vhy9lahdg7

  • MD5

    0469938a8c71ef023515811df1cc1bf9

  • SHA1

    87eb298bd7381f8d88d14128f2f58ab76a9601ea

  • SHA256

    d960c97a693f3b7c934ff2666bfd0de1db6c901820b01a8fb988a3ee8b4b3965

  • SHA512

    cb816e982325b0f4aaf7c9fcc0a07cd02ec751929a47cd9d7e5926171a6d98c514e9b9fc11b550283e703390504ad43a111cb9984d31ab410a6166aeb05b8ebd

Score
10/10

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitr8637.duckdns.org:5021

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • tor_process

    tor

Targets

    • Target

      PVKGH03HJWERN.exe

    • Size

      300.0MB

    • MD5

      244cc80b5232c9525f0a0e907ffec5f1

    • SHA1

      4502126f0aaba2132d6bf3f4783413d822a0ef35

    • SHA256

      8039afdf227e58a893ad6598eefd323a2a57e4d4dac4095324735cf78d46d6ba

    • SHA512

      2a8cb4e2c611e97656c127bbd47771462272d6fa16a5dfa985a000427a0fcfba015d709e8ea9a2f5e8c47831ca6eef30db9928a636d99d0128935ba8a44b4984

    Score
    10/10
    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks