General

  • Target

    ACH Remittance Details.xls

  • Size

    29KB

  • Sample

    220823-kwxyksfba8

  • MD5

    135a1b45054fd8c36e854fb696d7391a

  • SHA1

    80e56aad8cf5281d4374ae3b3f99ae7bd3f46198

  • SHA256

    7e59886a1137a4e857507cc61b150d5637ff71b09af43deeb70d1c9644ce465e

  • SHA512

    445bec2c31074256f9da3afda2034f150cf8fe3fa6e1441a70a7d4a0068c56c046df8f1269fe4d5d6e7f500699be61521a1c011b4d2ad48a2eb64c9e8958a498

  • SSDEEP

    768:cgk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJRoPoi:nk3hOdsylKlgxopeiBNhZFGzE+cL2kdh

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitm.dvrlists.com:6061

Attributes
  • communication_password

    cef08aa1523518b499f65898132b7512

  • tor_process

    tor

Targets

    • Target

      ACH Remittance Details.xls

    • Size

      29KB

    • MD5

      135a1b45054fd8c36e854fb696d7391a

    • SHA1

      80e56aad8cf5281d4374ae3b3f99ae7bd3f46198

    • SHA256

      7e59886a1137a4e857507cc61b150d5637ff71b09af43deeb70d1c9644ce465e

    • SHA512

      445bec2c31074256f9da3afda2034f150cf8fe3fa6e1441a70a7d4a0068c56c046df8f1269fe4d5d6e7f500699be61521a1c011b4d2ad48a2eb64c9e8958a498

    • SSDEEP

      768:cgk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJRoPoi:nk3hOdsylKlgxopeiBNhZFGzE+cL2kdh

    Score
    10/10
    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks