General

  • Target

    Radicación Ref. AMH-9484-2022 , PRIMERA INSTANCIA.exe

  • Size

    62KB

  • Sample

    220628-t5s6escef7

  • MD5

    c3ec390f9540222363623f223fb34ee7

  • SHA1

    b0d0ad1a8a2bd3647779dad824871946210292cc

  • SHA256

    242be69b82dd980914a4dd090ba44f60de9af23a5ffa8fdd9b4d8ea243212c41

  • SHA512

    780dbe0d64f4e45cef2fb4248370a3fbd7130376f2f6765e669bfdc50ef9a5cc602d4dc460d2c83b51a4c07826a880ee03545572660c47b44d9ba8a8a28333fc

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

markemoney.con-ip.com:3005

Attributes
  • communication_password

    202cb962ac59075b964b07152d234b70

  • tor_process

    tor

Targets

    • Target

      Radicación Ref. AMH-9484-2022 , PRIMERA INSTANCIA.exe

    • Size

      62KB

    • MD5

      c3ec390f9540222363623f223fb34ee7

    • SHA1

      b0d0ad1a8a2bd3647779dad824871946210292cc

    • SHA256

      242be69b82dd980914a4dd090ba44f60de9af23a5ffa8fdd9b4d8ea243212c41

    • SHA512

      780dbe0d64f4e45cef2fb4248370a3fbd7130376f2f6765e669bfdc50ef9a5cc602d4dc460d2c83b51a4c07826a880ee03545572660c47b44d9ba8a8a28333fc

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks