bitrat | 7d6591b19f43591a4a5aa9c12fac069982ff34c77329901c8994b86cf0f5e445 | Triage

Submit
Reports

Overview

overview

Static

static

REVISION F...CO.exe

windows7-x64

6

REVISION F...CO.exe

windows10-2004-x64

Sharing

General

Target

REVISION FISCAL POR DELITO DE FALSIFICACION DE DOCUMENTO PUBLICO.exe
Size

13KB
Sample

220802-kmbzradae6
MD5

1ad29d19d089f86a7a6bfb57c0a82546
SHA1

543a0b1857aaa1f1cdc629439d14fc29f66a7459
SHA256

7d6591b19f43591a4a5aa9c12fac069982ff34c77329901c8994b86cf0f5e445
SHA512

afcc8734ff1ee6351cb69a9f622afc31990c2714c695086d0eb51320fadcbc6a58a2ae2f3b823a8657aa69de8949fe1a8448b8232b3cb765992ed6ab0d3d467c

Score

10^/10

bitrat discovery persistence trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

REVISION FISCAL POR DELITO DE FALSIFICACION DE DOCUMENTO PUBLICO.exe

Resource

win7-20220715-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

REVISION FISCAL POR DELITO DE FALSIFICACION DE DOCUMENTO PUBLICO.exe

Resource

win10v2004-20220721-en

bitrat persistence trojan upx

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

nvwourhebv.con-ip.com:1880

Attributes

communication_password
202cb962ac59075b964b07152d234b70
tor_process
tor

Targets

- Target
  
  REVISION FISCAL POR DELITO DE FALSIFICACION DE DOCUMENTO PUBLICO.exe
- Size
  
  13KB
- MD5
  
  1ad29d19d089f86a7a6bfb57c0a82546
- SHA1
  
  543a0b1857aaa1f1cdc629439d14fc29f66a7459
- SHA256
  
  7d6591b19f43591a4a5aa9c12fac069982ff34c77329901c8994b86cf0f5e445
- SHA512
  
  afcc8734ff1ee6351cb69a9f622afc31990c2714c695086d0eb51320fadcbc6a58a2ae2f3b823a8657aa69de8949fe1a8448b8232b3cb765992ed6ab0d3d467c
Score

10^/10

discovery bitrat persistence trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Network Service Scanning

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

bitratpersistencetrojanupx

© 2018-2024

Terms | Privacy