General

  • Target

    Invoice#918.img

  • Size

    1.9MB

  • Sample

    220518-sen84sdgfn

  • MD5

    69ac6ec0a69d43204bc88a32ff892653

  • SHA1

    3117687505b9274bdfd202e08576d0c917bfc0ee

  • SHA256

    a2c51883eb21b0db00f8a6d6c54846afac998b0dd72d95496c719eb22bc412f6

  • SHA512

    842d7b45a2f73bacc05e2a614fa5782e7052369b74e143e1574fe4489307b5ce48b5a4b3388bad6350086d3082071e391531a41ed215af5aed0b88a3460e047a

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

oka.nerdpol.ovh:2223

Attributes
  • communication_password

    b6c6e855edf908ec7c12ce8c8e628a5c

  • tor_process

    tor

Targets

    • Target

      GKXQLZQA.EXE

    • Size

      1.4MB

    • MD5

      c791f4d69f14fd5e75c83610fb9ae025

    • SHA1

      0e24d2e718c620f73eaf16deea3363ece658cace

    • SHA256

      80d6d5e05616fd64ef95fe7f76ceca050335280f160275522839961f30fa96e4

    • SHA512

      5923d50a58b70e78b874921ea0f0a4438b8514f34b28a9f19949a84f520d5b9a0642290bf6217e23b43230ccedf04a9a3203467653fd6603e0590d698574465f

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks