Overview

overview

10

Static

static

a667753900...5c.exe

windows7_x64

10

a667753900...5c.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a667753900a6ec0b6339d02463d20b5c.exe

  • Size

    3.0MB

  • Sample

    220708-ntewrscbdn

  • MD5

    a667753900a6ec0b6339d02463d20b5c

  • SHA1

    fec54d99bb6b69581f1683a500bf7eccfa99541b

  • SHA256

    39d1c62236097f35dbcb91310c722882def7fe38bf1d7803b15b879580e44d22

  • SHA512

    c6e910d18309dbfad5cec1b0ef30bf887637dd62eac219632fc984aade0cd1deab6d366331441a57abfbf46ef617bd60bfa6dc630fb67fe78e5dfe00d0092e12

Score
10/10
bitratpurecrypterxenarmorcollectionloaderpasswordpersistencerecoveryspywarestealersuricatatrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

regidis.mooo.com:1234

Attributes
  • communication_password

    202cb962ac59075b964b07152d234b70

  • tor_process

    tor

Targets

    • Target

      a667753900a6ec0b6339d02463d20b5c.exe

    • Size

      3.0MB

    • MD5

      a667753900a6ec0b6339d02463d20b5c

    • SHA1

      fec54d99bb6b69581f1683a500bf7eccfa99541b

    • SHA256

      39d1c62236097f35dbcb91310c722882def7fe38bf1d7803b15b879580e44d22

    • SHA512

      c6e910d18309dbfad5cec1b0ef30bf887637dd62eac219632fc984aade0cd1deab6d366331441a57abfbf46ef617bd60bfa6dc630fb67fe78e5dfe00d0092e12

    Score
    10/10
    bitratpurecrypterloaderpersistencesuricatatrojanupxxenarmorcollectionpasswordrecoveryspywarestealer

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Detect PureCrypter loader

      loader

    • Modifies WinLogon for persistence

      persistence

    • PureCrypter

      PureCrypter is a loader which is intended for downloading and executing additional payloads.

      trojanloaderpurecrypter

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

      recoverypasswordxenarmor

    • suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

      suricata

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks