bitrat

General

Target

4e4d51350f186355c0bade0a4093847b.exe
Size

5.0MB
Sample

220922-r8p7tsbfh8
MD5

4e4d51350f186355c0bade0a4093847b
SHA1

6b0bb9f756eb18699f354aed4d8ecdccddf26c71
SHA256

b244154eb02dde8424ac1dfc45cf8b1351de4c80c35ccbc338be7425c0a382d7
SHA512

76b306573ca767339730d675670d8259ca02a823dfd27b1833e2fc8a4b4d9e32cbf72943f6dbec13dc83a6f173dde1ab317bcf34f50c57f1826c38a4567608ad
SSDEEP

98304:BdGzxEoKDl5ZLICyK5CW+AHYmK8/t1UjgX98k1Lh8Tyd1:BdGJC59yICNiYmrv98k11nd1

Score

10^/10

Malware Config

Extracted

Family

warzonerat

C2

sheet.duckdns.org:4110

Extracted

Family

bitrat

Version

1.38

C2

sheet.duckdns.org:8471

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
Install path
install_file
Install name
tor_process
tor

Targets

- Target
  
  4e4d51350f186355c0bade0a4093847b.exe
- Size
  
  5.0MB
- MD5
  
  4e4d51350f186355c0bade0a4093847b
- SHA1
  
  6b0bb9f756eb18699f354aed4d8ecdccddf26c71
- SHA256
  
  b244154eb02dde8424ac1dfc45cf8b1351de4c80c35ccbc338be7425c0a382d7
- SHA512
  
  76b306573ca767339730d675670d8259ca02a823dfd27b1833e2fc8a4b4d9e32cbf72943f6dbec13dc83a6f173dde1ab317bcf34f50c57f1826c38a4567608ad
- SSDEEP
  
  98304:BdGzxEoKDl5ZLICyK5CW+AHYmK8/t1UjgX98k1Lh8Tyd1:BdGJC59yICNiYmrv98k11nd1
Score

10^/10

bitrat warzonerat infostealer persistence rat trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

WarzoneRat, AveMaria

Warzone RAT payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2