Overview

overview

10

Static

static

DOCUMENTO ...08.exe

windows7-x64

10

DOCUMENTO ...08.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DOCUMENTO DE SOPORTE PAG A PROVEE, INSCRITOS 24-08.exe

  • Size

    4.6MB

  • Sample

    220825-jfbjzaaee8

  • MD5

    62c1c4af9368544cd26895caba9fdc3a

  • SHA1

    32698f2851f078e380ac4cc4d162916ba07ee8fd

  • SHA256

    7882eeab3aa04b0e581e6bb2ff00ad16165d5cb2b0585953433428d20761361d

  • SHA512

    db26d813599c658503803a9e206b6fd99690773ef692ce954cfdfaf598a5cfb5c691ca6a2c66c2b9b7d8dbcd7d776c1810e2cdb51a94e574347ba31c5fc4aaff

  • SSDEEP

    98304:UJDl2T1JcZoWRH6pOaIjzPsRLqGSmd7lrYXznvMB3nU0XTL3xzpi0vOEM:UJDYTEEp06GGSmdOXznUBvfi0f

Score
10/10
bitratpersistencetrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

carlaangaritape1.con-ip.com:5020

Attributes
  • communication_password

    202cb962ac59075b964b07152d234b70

  • tor_process

    tor

Targets

    • Target

      DOCUMENTO DE SOPORTE PAG A PROVEE, INSCRITOS 24-08.exe

    • Size

      4.6MB

    • MD5

      62c1c4af9368544cd26895caba9fdc3a

    • SHA1

      32698f2851f078e380ac4cc4d162916ba07ee8fd

    • SHA256

      7882eeab3aa04b0e581e6bb2ff00ad16165d5cb2b0585953433428d20761361d

    • SHA512

      db26d813599c658503803a9e206b6fd99690773ef692ce954cfdfaf598a5cfb5c691ca6a2c66c2b9b7d8dbcd7d776c1810e2cdb51a94e574347ba31c5fc4aaff

    • SSDEEP

      98304:UJDl2T1JcZoWRH6pOaIjzPsRLqGSmd7lrYXznvMB3nU0XTL3xzpi0vOEM:UJDYTEEp06GGSmdOXznUBvfi0f

    Score
    10/10
    bitratpersistencetrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks