bitrat | be3d815c8d513afdf55476fe42678549fdc65ea00a77fc8c7ba7c18b374d9723 | Triage

Submit
Reports

Overview

overview

Static

static

image logger.exe

windows7-x64

image logger.exe

windows10-2004-x64

Sharing

General

Target

image logger.exe
Size

22.5MB
Sample

220825-l8p9yaccg6
MD5

5f0555a10263f383467a920d22febeed
SHA1

0e4b694afc583d51148fe1368516b4345eeb816a
SHA256

be3d815c8d513afdf55476fe42678549fdc65ea00a77fc8c7ba7c18b374d9723
SHA512

b1703db887aaaae3578de96d3de0a6510e071495c0266c88e464a9dd4248f60884b1a6eb92d3a7b6b81265fc1447096a04fd075b8fe2d1f5fcd463c7ddb588a3
SSDEEP

393216:9S6mhw3e/m3pfCTnxtX1JFT9NvKL0oBKcRabopyznWR/eBX:9SdhdKitXPFJhKL1RiopyzD

Score

10^/10

bitrat persistence pyinstaller spyware stealer trojan upx

Static task

static1

pyinstaller bitrat

2 signatures

Behavioral task

behavioral1

Sample

image logger.exe

Resource

win7-20220812-en

bitrat persistence pyinstaller trojan upx

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

image logger.exe

Resource

win10v2004-20220812-en

bitrat persistence pyinstaller spyware stealer trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

Cluluvsu-34807.portmap.host:34807

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
install_dir
sdudir
install_file
sudir
tor_process
tor

Targets

- Target
  
  image logger.exe
- Size
  
  22.5MB
- MD5
  
  5f0555a10263f383467a920d22febeed
- SHA1
  
  0e4b694afc583d51148fe1368516b4345eeb816a
- SHA256
  
  be3d815c8d513afdf55476fe42678549fdc65ea00a77fc8c7ba7c18b374d9723
- SHA512
  
  b1703db887aaaae3578de96d3de0a6510e071495c0266c88e464a9dd4248f60884b1a6eb92d3a7b6b81265fc1447096a04fd075b8fe2d1f5fcd463c7ddb588a3
- SSDEEP
  
  393216:9S6mhw3e/m3pfCTnxtX1JFT9NvKL0oBKcRabopyznWR/eBX:9SdhdKitXPFJhKL1RiopyzD
Score

10^/10

bitrat persistence pyinstaller trojan upx spyware stealer
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

pyinstallerbitrat

behavioral1

bitratpersistencepyinstallertrojanupx

behavioral2

bitratpersistencepyinstallerspywarestealertrojanupx

© 2018-2024

Terms | Privacy