bitrat | c06cab989e964346467e4190f382ebc1777ef20786ac7f190ae080b8422f2d88 | Triage

Submit
Reports

Overview

overview

Static

static

20_89_27.exe

windows7-x64

20_89_27.exe

windows10-2004-x64

Sharing

General

Target

20_89_27.EXE
Size

9.4MB
Sample

220924-tfpfyabeh2
MD5

0894f84db87ca8148cd35781341489a2
SHA1

de5b88287a6454115d06de0d555e94820c3791c8
SHA256

c06cab989e964346467e4190f382ebc1777ef20786ac7f190ae080b8422f2d88
SHA512

00579a26b5640deae733df142f3e86a4b62c9a52828256d7ce165ad8ac7ffb2233a8e1f9a96268e3391e0ebcabb136e62633660881b8dbafc410b7531731566c
SSDEEP

49152:aJJKPuu28T4Vlp50dmHwWrwIdECy8AmY+VG9hk:1uu2r950873yr

Score

10^/10

bitrat njrat may4000 trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

20_89_27.exe

Resource

win7-20220812-en

bitrat njrat may4000 trojan upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

20_89_27.exe

Resource

win10v2004-20220901-en

bitrat njrat may4000 trojan upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bit9090.duckdns.org:9090

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Extracted

Family

njrat

Version

v2.0

Botnet

May4000

C2

dan4000.duckdns.org:4000

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Targets

- Target
  
  20_89_27.EXE
- Size
  
  9.4MB
- MD5
  
  0894f84db87ca8148cd35781341489a2
- SHA1
  
  de5b88287a6454115d06de0d555e94820c3791c8
- SHA256
  
  c06cab989e964346467e4190f382ebc1777ef20786ac7f190ae080b8422f2d88
- SHA512
  
  00579a26b5640deae733df142f3e86a4b62c9a52828256d7ce165ad8ac7ffb2233a8e1f9a96268e3391e0ebcabb136e62633660881b8dbafc410b7531731566c
- SSDEEP
  
  49152:aJJKPuu28T4Vlp50dmHwWrwIdECy8AmY+VG9hk:1uu2r950873yr
Score

10^/10

bitrat njrat may4000 trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bitratnjratmay4000trojanupx

behavioral2

bitratnjratmay4000trojanupx

© 2018-2024

Terms | Privacy