Overview

overview

10

Static

static

3056792cfe...5f.exe

windows7-x64

6

3056792cfe...5f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3056792cfe11d96217fa3626f3ab6a5f.exe

  • Size

    4.6MB

  • Sample

    221026-l8jr6afch8

  • MD5

    3056792cfe11d96217fa3626f3ab6a5f

  • SHA1

    d2b732a35d22e32dbc265957e624c667012a6a18

  • SHA256

    02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5

  • SHA512

    c7e217193294760af3bfb12ff4e7ed327faf9ba09e05d3927eaba26385ce9853ff42685cdabff00fbe6c1461ce5c772afc7a158d72da9e33039da0ee828789c8

  • SSDEEP

    24576:2RlFlAOYfBKbQzW3I+ps4NCmntjDesG5InScdbJaP1tVpVzKGeGCvCr2F1xgLAZ4:

Score
10/10
bitratpersistencetrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

gh9st.mywire.org:5005

Attributes
  • communication_password

    803355ca422bf9b37bc523a750e21842

  • install_dir

    svcsvc

  • install_file

    svcsvc.exe

  • tor_process

    tor

Targets

    • Target

      3056792cfe11d96217fa3626f3ab6a5f.exe

    • Size

      4.6MB

    • MD5

      3056792cfe11d96217fa3626f3ab6a5f

    • SHA1

      d2b732a35d22e32dbc265957e624c667012a6a18

    • SHA256

      02db00ca3d50065b6c10c027a64066d00d4a1cd8dbed0b77ce414a64258406f5

    • SHA512

      c7e217193294760af3bfb12ff4e7ed327faf9ba09e05d3927eaba26385ce9853ff42685cdabff00fbe6c1461ce5c772afc7a158d72da9e33039da0ee828789c8

    • SSDEEP

      24576:2RlFlAOYfBKbQzW3I+ps4NCmntjDesG5InScdbJaP1tVpVzKGeGCvCr2F1xgLAZ4:

    Score
    10/10
    persistencebitrattrojan

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks