General

  • Target

    NAMSJSH-PAYMENT-RECEIPT.iso

  • Size

    2.0MB

  • Sample

    220705-rbrdmabgg4

  • MD5

    0d4922c57612aa73482dd7c131e41fc1

  • SHA1

    5960f893f6a323d3eba98200f3e8d92c9ff5ada9

  • SHA256

    4bd1b456c4e49bd88ecc7126ce067eb57a5a2f3dcb58550993fda928cb62f52e

  • SHA512

    ed39dbc6595e1471755ae841674766bee19a9a70e4a2b879009e814f8fcf4616301995b6dcc35950623b0b4512865e15114552d3b3ee9fd4829d0b69b67e5be0

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitrat9300.duckdns.org:9300

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Targets

    • Target

      Xonvhsbnf.exe

    • Size

      1.9MB

    • MD5

      c5f48c7e92189a5ea21b1cf896401a29

    • SHA1

      4fb9daab173c56ded13e22efe8ff88552a31246e

    • SHA256

      c56e2e059f83369babdb89df9c54ffea0ce7f0a848575a47c938f97b3d0ff3e8

    • SHA512

      611789ab88904409051577ac64b906d644c706fc4ffe82ee0ba431d2a427118a9565ccba4cc632539d22390aef230c19707f96e86ca95b452059529393f3fd53

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Modifies WinLogon for persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

1
T1112

Tasks