bitrat | 7e59886a1137a4e857507cc61b150d5637ff71b09af43deeb70d1c9644ce465e | Triage

Submit
Reports

Overview

overview

Static

static

8

ACH Remitt...ls.xls

windows7-x64

ACH Remitt...ls.xls

windows10-2004-x64

Sharing

General

Target

ACH Remittance Details.xls
Size

29KB
Sample

220823-kwxyksfba8
MD5

135a1b45054fd8c36e854fb696d7391a
SHA1

80e56aad8cf5281d4374ae3b3f99ae7bd3f46198
SHA256

7e59886a1137a4e857507cc61b150d5637ff71b09af43deeb70d1c9644ce465e
SHA512

445bec2c31074256f9da3afda2034f150cf8fe3fa6e1441a70a7d4a0068c56c046df8f1269fe4d5d6e7f500699be61521a1c011b4d2ad48a2eb64c9e8958a498
SSDEEP

768:cgk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJRoPoi:nk3hOdsylKlgxopeiBNhZFGzE+cL2kdh

Score

10^/10

bitrat macro macro_on_action trojan upx

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

ACH Remittance Details.xls

Resource

win7-20220812-en

bitrat trojan upx

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

ACH Remittance Details.xls

Resource

win10v2004-20220812-en

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitm.dvrlists.com:6061

Attributes

communication_password
cef08aa1523518b499f65898132b7512
tor_process
tor

Targets

- Target
  
  ACH Remittance Details.xls
- Size
  
  29KB
- MD5
  
  135a1b45054fd8c36e854fb696d7391a
- SHA1
  
  80e56aad8cf5281d4374ae3b3f99ae7bd3f46198
- SHA256
  
  7e59886a1137a4e857507cc61b150d5637ff71b09af43deeb70d1c9644ce465e
- SHA512
  
  445bec2c31074256f9da3afda2034f150cf8fe3fa6e1441a70a7d4a0068c56c046df8f1269fe4d5d6e7f500699be61521a1c011b4d2ad48a2eb64c9e8958a498
- SSDEEP
  
  768:cgk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJRoPoi:nk3hOdsylKlgxopeiBNhZFGzE+cL2kdh
Score

10^/10

bitrat trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

bitrattrojanupx

behavioral2

© 2018-2024

Terms | Privacy