General

  • Target

    7583326122.zip

  • Size

    1.5MB

  • Sample

    220615-vc6rgsahf9

  • MD5

    ec6ae7630e34f36f4ba9e82f4c9f23f4

  • SHA1

    b1898e885461adc9ad7b60bf47f7423589cd67ab

  • SHA256

    8c76fb918a3b6c197a9638bcbc03b1dc85606c256e04d919b5d9739b556e2ef0

  • SHA512

    64429e441d8cba57aa09f86228f50f8e319cf6aa15a41e9f32c9bbdbe1d9c7cc5ce543c34e78162d790e2b0f9274c49052feca37ac32120a2abaed6d14b4a929

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Targets

    • Target

      JO37GDDJF5_ETRANSFER_RECEIPT.exe

    • Size

      300.0MB

    • MD5

      9f791a0a9f76db609b44f0e3bf7bdef5

    • SHA1

      0481f2e178c7a34b3d855e5c53553337fe2008ed

    • SHA256

      ccd71d751bf017dee31f76eceded9aa6832f5e19b5389584d3665f76b4f0caf2

    • SHA512

      06889bebdf092e4f1563e697e9c619a147954ffcb1f9dd9e9a9238d1410442373f95558c02e6bae6f5d832f89a46eab8b08114699f7321ce2e1150a69f1ad1ee

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Tasks