bitrat | cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5 | Triage

Submit
Reports

Overview

overview

Static

static

tmp.exe

windows7-x64

tmp.exe

windows10-2004-x64

Sharing

General

Target

tmp
Size

7.0MB
Sample

220925-vqaafafec6
MD5

90d11bc40e17839b51fcf6a2f0aebb12
SHA1

66139f98aa2efbde94c5a6d5b6abd7099b1ac8b7
SHA256

cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5
SHA512

27298c219857f990a8cd8920e6380ffcac3d2952690df6b5d88833a085abaca2933a4637b7aeabbe83ed3c069d59895b583eb60950742ae299b718271d82e29b
SSDEEP

196608:SmA20NKKI/0BfjFj0U5mEqddH/qW907NKHBk/alv/bgNTtNalBMskBQFs8AbA9mv:ST20NKKI/0BfjFj0U5mEqddH/qW907NE

Score

10^/10

bitrat quasar yoworld aspackv2 persistence spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

tmp.exe

Resource

win7-20220812-en

bitrat quasar yoworld aspackv2 persistence spyware trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

tmp.exe

Resource

win10v2004-20220812-en

bitrat quasar yoworld aspackv2 persistence spyware trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

anubisgod.duckdns.org:1440

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
spottifyy
install_file
spottifyy.exe
tor_process
tor

Extracted

Family

quasar

Version

1.4.0

Botnet

Yoworld

C2

anubisgod.duckdns.org:1338

Mutex

ec434dcc-84b6-4a93-9358-be83ce93fef5

Attributes

encryption_key
0411D8B9B23547F86733347B0634010F112E158F
install_name
Dlscord.exe
log_directory
DlscordLogs
reconnect_delay
3000
startup_key
Dlscord
subdirectory
Dlscord

Targets

- Target
  
  tmp
- Size
  
  7.0MB
- MD5
  
  90d11bc40e17839b51fcf6a2f0aebb12
- SHA1
  
  66139f98aa2efbde94c5a6d5b6abd7099b1ac8b7
- SHA256
  
  cdc6aef29d300c937b80abade4022803e565f3895b697dbcddc11fe36e19d0f5
- SHA512
  
  27298c219857f990a8cd8920e6380ffcac3d2952690df6b5d88833a085abaca2933a4637b7aeabbe83ed3c069d59895b583eb60950742ae299b718271d82e29b
- SSDEEP
  
  196608:SmA20NKKI/0BfjFj0U5mEqddH/qW907NKHBk/alv/bgNTtNalBMskBQFs8AbA9mv:ST20NKKI/0BfjFj0U5mEqddH/qW907NE
Score

10^/10

bitrat quasar yoworld aspackv2 persistence spyware trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bitratquasaryoworldaspackv2persistencespywaretrojan

behavioral2

bitratquasaryoworldaspackv2persistencespywaretrojan

© 2018-2024

Terms | Privacy