bitrat | 9afa8ea8064c15e349caad45d31c18c41349080c4ed1d35fdd3472659736a19b | Triage

Sharing

General

Target

August PO#17526NR2600.exe
Size

463KB
Sample

220727-rmtywsefek
MD5

a59cd30ab95f36253b463cd3ee7b9bbc
SHA1

3db7af3754a358220e1f9d83a97f3846f57e6ace
SHA256

9afa8ea8064c15e349caad45d31c18c41349080c4ed1d35fdd3472659736a19b
SHA512

fa649e81dd7dca0e1937b0c22ffe1a881c3b95160fbe3e272bc89ebabf75632c9d6e2597b9b71db3b7f2fff4a71ea080992aa25c4d80164ed7771a464609a0f7

Score

10^/10

bitrat persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

103.153.79.240:1234

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Targets

- Target
  
  August PO#17526NR2600.exe
- Size
  
  463KB
- MD5
  
  a59cd30ab95f36253b463cd3ee7b9bbc
- SHA1
  
  3db7af3754a358220e1f9d83a97f3846f57e6ace
- SHA256
  
  9afa8ea8064c15e349caad45d31c18c41349080c4ed1d35fdd3472659736a19b
- SHA512
  
  fa649e81dd7dca0e1937b0c22ffe1a881c3b95160fbe3e272bc89ebabf75632c9d6e2597b9b71db3b7f2fff4a71ea080992aa25c4d80164ed7771a464609a0f7
Score

10^/10

bitrat persistence trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bitratpersistencetrojan

behavioral2

bitratpersistencetrojan