General

  • Target

    039cf4716062ee3afde9a567a84987af

  • Size

    84KB

  • Sample

    220722-ys8skahdh3

  • MD5

    039cf4716062ee3afde9a567a84987af

  • SHA1

    f26b7ea6ef6a645988a13677c04d38d10a6f9420

  • SHA256

    023ffeb6a2cf7318bc93f4c944989dfaf0d583c1ed3140795fd0342410593d14

  • SHA512

    4acedfc5fe7fab5c440bc909f28c463e8b3948ce36eacf09bd9e00b3a1a28fd4a49be55052bdd80ac46b8d0d256863b97f5e4e9db8b84328de82a064bd4f182a

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

crueysaderf.con-ip.com:1880

Attributes
  • communication_password

    202cb962ac59075b964b07152d234b70

  • tor_process

    tor

Targets

    • Target

      039cf4716062ee3afde9a567a84987af

    • Size

      84KB

    • MD5

      039cf4716062ee3afde9a567a84987af

    • SHA1

      f26b7ea6ef6a645988a13677c04d38d10a6f9420

    • SHA256

      023ffeb6a2cf7318bc93f4c944989dfaf0d583c1ed3140795fd0342410593d14

    • SHA512

      4acedfc5fe7fab5c440bc909f28c463e8b3948ce36eacf09bd9e00b3a1a28fd4a49be55052bdd80ac46b8d0d256863b97f5e4e9db8b84328de82a064bd4f182a

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks