bitrat | 12d9848e317dcbf7dfb95649d7198fd93475f8b4cd093a252f28caeed8093001 | Triage

Submit
Reports

Overview

overview

Static

static

iCloud_577...72.exe

windows7-x64

iCloud_577...72.exe

windows10-2004-x64

Sharing

General

Target

iCloud_5778420644664315372.exe
Size

6.0MB
Sample

220909-vazkdsgfd5
MD5

37580d09f99717268666e091c21d344a
SHA1

0b7df2ebdf61753c183c818db71b4b1f6fd57841
SHA256

12d9848e317dcbf7dfb95649d7198fd93475f8b4cd093a252f28caeed8093001
SHA512

f2a1295003d64be1c768afbc6bd0f93ba53a39a883759952246371d9552777432193c35a702697061febb192cb365843480cc52c3dc44d90312a4e8be7e66749
SSDEEP

98304:JyQZRhelFuTw99bP/nCURx/PKnBWrmVjefsn+1:sQ7w99GURx/PKwQe

Score

10^/10

bitrat agilenet persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

iCloud_5778420644664315372.exe

Resource

win7-20220812-en

bitrat agilenet persistence trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

iCloud_5778420644664315372.exe

Resource

win10v2004-20220901-en

bitrat persistence trojan

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.35

C2

snkno.duckdns.org:43413

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Targets

- Target
  
  iCloud_5778420644664315372.exe
- Size
  
  6.0MB
- MD5
  
  37580d09f99717268666e091c21d344a
- SHA1
  
  0b7df2ebdf61753c183c818db71b4b1f6fd57841
- SHA256
  
  12d9848e317dcbf7dfb95649d7198fd93475f8b4cd093a252f28caeed8093001
- SHA512
  
  f2a1295003d64be1c768afbc6bd0f93ba53a39a883759952246371d9552777432193c35a702697061febb192cb365843480cc52c3dc44d90312a4e8be7e66749
- SSDEEP
  
  98304:JyQZRhelFuTw99bP/nCURx/PKnBWrmVjefsn+1:sQ7w99GURx/PKwQe
Score

10^/10

bitrat agilenet persistence trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bitratagilenetpersistencetrojan

behavioral2

bitratpersistencetrojan

© 2018-2024

Terms | Privacy