bitrat | 7e59886a1137a4e857507cc61b150d5637ff71b09af43deeb70d1c9644ce465e | Triage

Submit
Reports

Overview

overview

Static

static

8

ACH_Remitt...ls.xls

windows7-x64

ACH_Remitt...ls.xls

windows10-2004-x64

Sharing

General

Target

ACH_Remittance_Details.xls
Size

29KB
Sample

220823-l6wnyadagp
MD5

135a1b45054fd8c36e854fb696d7391a
SHA1

80e56aad8cf5281d4374ae3b3f99ae7bd3f46198
SHA256

7e59886a1137a4e857507cc61b150d5637ff71b09af43deeb70d1c9644ce465e
SHA512

445bec2c31074256f9da3afda2034f150cf8fe3fa6e1441a70a7d4a0068c56c046df8f1269fe4d5d6e7f500699be61521a1c011b4d2ad48a2eb64c9e8958a498
SSDEEP

768:cgk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJRoPoi:nk3hOdsylKlgxopeiBNhZFGzE+cL2kdh

Score

10^/10

bitrat macro macro_on_action trojan upx

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

ACH_Remittance_Details.xls

Resource

win7-20220812-en

bitrat trojan upx

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

ACH_Remittance_Details.xls

Resource

win10v2004-20220812-en

bitrat trojan upx

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitm.dvrlists.com:6061

Attributes

communication_password
cef08aa1523518b499f65898132b7512
tor_process
tor

Targets

- Target
  
  ACH_Remittance_Details.xls
- Size
  
  29KB
- MD5
  
  135a1b45054fd8c36e854fb696d7391a
- SHA1
  
  80e56aad8cf5281d4374ae3b3f99ae7bd3f46198
- SHA256
  
  7e59886a1137a4e857507cc61b150d5637ff71b09af43deeb70d1c9644ce465e
- SHA512
  
  445bec2c31074256f9da3afda2034f150cf8fe3fa6e1441a70a7d4a0068c56c046df8f1269fe4d5d6e7f500699be61521a1c011b4d2ad48a2eb64c9e8958a498
- SSDEEP
  
  768:cgk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJRoPoi:nk3hOdsylKlgxopeiBNhZFGzE+cL2kdh
Score

10^/10

bitrat trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

macromacro_on_action

behavioral1

bitrattrojanupx

behavioral2

bitrattrojanupx

© 2018-2024

Terms | Privacy