bitrat

General

Target

tmp
Size

95KB
Sample

220612-pgmxaabcar
MD5

f69b759484f6dddde5ee53713c16bd8f
SHA1

6f13170df9c452f69b2eab421ade5aed99284849
SHA256

3a6872c4340a880b287df860e876fab5363c7896cfe01bf32e9aa6a0a4451d75
SHA512

3cd56456abefc07906f38f27c647559e450925de42942bfbd550c5193c3cd0647100e84932e410c01bacc57a77b72a6134c679d430d9c5446af9ca5f214f9409

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

moduleconnector.at:1338

Extracted

Family

netwire

C2

moduleconnector.at:444

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\JavaUpdater\Java.exe
lock_executable
false
mutex
OkOSGIVK
offline_keylogger
false
password
Nigger25!
registry_autorun
false
use_mutex
false

Extracted

Family

bitrat

Version

1.38

C2

moduleconnector.at:80

Attributes

communication_password
a719e6eb1cd0fc059eb960515ec9d970
install_dir
JavaTools
install_file
Java.exe
tor_process
tor

Targets

- Target
  
  tmp
- Size
  
  95KB
- MD5
  
  f69b759484f6dddde5ee53713c16bd8f
- SHA1
  
  6f13170df9c452f69b2eab421ade5aed99284849
- SHA256
  
  3a6872c4340a880b287df860e876fab5363c7896cfe01bf32e9aa6a0a4451d75
- SHA512
  
  3cd56456abefc07906f38f27c647559e450925de42942bfbd550c5193c3cd0647100e84932e410c01bacc57a77b72a6134c679d430d9c5446af9ca5f214f9409
Score

10^/10

bitrat netwire redline xmrig cheat botnet discovery infostealer miner persistence rat spyware stealer suricata trojan upx xenarmor collection password recovery
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- XenArmor Suite
  XenArmor is as suite of password recovery tools for various application.
  recovery password xenarmor
- suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
  suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
  suricata
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- XMRig Miner Payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2