General

  • Target

    7640526130.zip

  • Size

    1.5MB

  • Sample

    220622-vcb7wahgen

  • MD5

    c9c11698b35669ead7987f8910b160bd

  • SHA1

    a91e1e595c332cd47dbbf3ca42764548eb41507b

  • SHA256

    0adef8e5a5bb7909da48b99a157639fc7aac849e39eabd0154886c2f27abc3d8

  • SHA512

    184d17beed6a4cc28c9c6afd7d999cc2ae1d443e775588a34aa7252512a109879606a2a25e1f76d1237de6c0ce68381ba6d41d7c80f0013388cbd29890746e1a

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Targets

    • Target

      EMAILXKHF_PAYMENT_RECEIPT.exe

    • Size

      300.0MB

    • MD5

      c17ef9df7263f7374800f63e74fef81a

    • SHA1

      471d08242c628ae5fb1b7863647af485db08fca2

    • SHA256

      2b38215d265d8ddd65de076c280146b10e24d7320217f90a63d46fc00d648b6c

    • SHA512

      12cb48e84c44ac1ee9599ea72c073090c40d7a7ea4276c5b1568b86ec6e4a6fe4dfa4c7ae8a0b407c45e09b49b5d32f0a90923b2e1fda92c1208fa1172d222d1

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Tasks