bitrat

Sharing

Copy URL

Twitter E-mail

General

Target

receipt.exe
Size

1.4MB
Sample

220928-2tdklaadbl
MD5

220925c99e482fd480dedb37ca1b59d3
SHA1

828278c1467af367892469cbced139533ecce7e1
SHA256

e2340403396069b5ca3a235a66889abf2540c8e382bff1cb704ef2cdb13dade9
SHA512

55dc454a0cc616fbcbb646646cad5aa7beefdafd7a6193ad7ca653eacdd2a15fa6d077991135dbd681c74f1cfe16e99a0baba73ac81048ab77977ce8fceedb27
SSDEEP

24576:9ct1Eh0F4ATi6OKm1Hh1DV2FK/71dEbni7H1o0wwCwTdaPWU0XFpfbICj7J:9aeRKi6Nm1BVV2FI52sHGCdRXFpfbn7

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

216.250.251.191:24980

uzu.duckdns.org:24980

Mutex

549c9b02-da26-418a-8695-f2a6ff7cd7b3

Attributes

activate_away_mode
true
backup_connection_host
uzu.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-02-06T07:21:58.722428536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
24980
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
549c9b02-da26-418a-8695-f2a6ff7cd7b3
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
216.250.251.191
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

bitrat

Version

1.38

tcki6mrrcnrt33qy52viv7m64y6hepkv646nnzglrkbgytyt6b2hdrid.onion:80

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
dllhost

Targets

- Target
  
  receipt.exe
- Size
  
  1.4MB
- MD5
  
  220925c99e482fd480dedb37ca1b59d3
- SHA1
  
  828278c1467af367892469cbced139533ecce7e1
- SHA256
  
  e2340403396069b5ca3a235a66889abf2540c8e382bff1cb704ef2cdb13dade9
- SHA512
  
  55dc454a0cc616fbcbb646646cad5aa7beefdafd7a6193ad7ca653eacdd2a15fa6d077991135dbd681c74f1cfe16e99a0baba73ac81048ab77977ce8fceedb27
- SSDEEP
  
  24576:9ct1Eh0F4ATi6OKm1Hh1DV2FK/71dEbni7H1o0wwCwTdaPWU0XFpfbICj7J:9aeRKi6Nm1BVV2FI52sHGCdRXFpfbn7
Score

10^/10

bitrat nanocore evasion keylogger persistence spyware stealer trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Uses Tor communications
  Malware can proxy its traffic through Tor for more anonymity.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

T1090

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

NanoCore

ACProtect 1.3x - 1.4x DLL software

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Uses Tor communications

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2