General

  • Target

    fafcd6de9a617a28dae5d1895537222d

  • Size

    18KB

  • Sample

    220617-ra5vmaegc3

  • MD5

    fafcd6de9a617a28dae5d1895537222d

  • SHA1

    eb937e4015100a183df3834c58a9ea15811ed177

  • SHA256

    765462aaffe0ff14c96e7d013f3f0706f6ad3d992bd27aea32e66787adea424b

  • SHA512

    21177989e0d3455eab9d5d16d8b3f897291cc87dd004dbb9bcb6dd2843cb0a2bc2e00e583a589500d7eebac913b9977d728b08ce67692f03bc028929f4e6ce50

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

sangredecristo.con-ip.com:3005

Attributes
  • communication_password

    202cb962ac59075b964b07152d234b70

  • tor_process

    tor

Targets

    • Target

      fafcd6de9a617a28dae5d1895537222d

    • Size

      18KB

    • MD5

      fafcd6de9a617a28dae5d1895537222d

    • SHA1

      eb937e4015100a183df3834c58a9ea15811ed177

    • SHA256

      765462aaffe0ff14c96e7d013f3f0706f6ad3d992bd27aea32e66787adea424b

    • SHA512

      21177989e0d3455eab9d5d16d8b3f897291cc87dd004dbb9bcb6dd2843cb0a2bc2e00e583a589500d7eebac913b9977d728b08ce67692f03bc028929f4e6ce50

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks