General

  • Target

    ap-file-nhbyg.exe--556260643.zip

  • Size

    1.8MB

  • Sample

    220615-q6tlsshefk

  • MD5

    c3bc138ef028933efc694259fa4955b2

  • SHA1

    e14742b2984a466ec54c2750c6935ec4942538fb

  • SHA256

    4c80f993d4be96d139c4579fbf5e2b967bbc942dd623308b04dbecbe05046036

  • SHA512

    c91fc8acdec451d245870568fcd2342514509381e836f2e2c1357f4bc9b6e70feacd7b10106b54add018cd5e41d3c2899fb3071a2d5d634cf442c71971d97852

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Targets

    • Target

      nhbyg.exe

    • Size

      300.0MB

    • MD5

      8ec6e02e9d4b3e4a627b288cbb1af47d

    • SHA1

      6ca7f4ab25efeb2856128f54e13ec3f7437f680d

    • SHA256

      b8488b04fbe5fb739a9f11f6e7ac23e6d1111437e361fb9d176b7e75f7a5ec01

    • SHA512

      97e41aa6b64f554166822a20c31e2989dd3c71d504ca4da673dfa285565a6ae36783a07b3013e7f5024838694658043f9522a876611ff94166175666f568e993

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Tasks