bitrat | 67cda8c74585c33e1aaf255bf9283b781c2f4e15b7833ea02c3a725bc4ef9ea1 | Triage

Submit
Reports

Overview

overview

Static

static

3164_23_147_PDF.exe

windows7-x64

3164_23_147_PDF.exe

windows10-2004-x64

Sharing

General

Target

8648.zip
Size

6.2MB
Sample

221109-kqdmraghej
MD5

45ebb4ed0ef196295bc48e76e4effc18
SHA1

e7a4aabbb387f90f1e5d66795fe70d1787f950b7
SHA256

67cda8c74585c33e1aaf255bf9283b781c2f4e15b7833ea02c3a725bc4ef9ea1
SHA512

d1c9ffe1a0f2d3ca84e381e12796c29eb6759b71a412cd1a3323c309f214fca764a35a10b7a29a8a62d36d6b372ce1c9e9df444e448d6ee41fd7aa139a6b3fdb
SSDEEP

196608:h2bBrJC0MJAFrGVdQAp2++dQSXQrdoUZY:h2V9CjirGTpvbG

Score

10^/10

bitrat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

3164_23_147_PDF.exe

Resource

win7-20220812-en

bitrat trojan upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

3164_23_147_PDF.exe

Resource

win10v2004-20220812-en

bitrat trojan upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitone9090.duckdns.org:9090

bit9090.duckdns.org:9090

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Targets

- Target
  
  3164_23_147_PDF.exe
- Size
  
  300.0MB
- MD5
  
  19ee0757397eff0b8cafa381c9c3737b
- SHA1
  
  801fbacb698b52aca0448fcbd6ab44d921ff6c3d
- SHA256
  
  50c0fd86906d4b61410326cde1aaf9c114684287b0b165e785873b599f6dd9c3
- SHA512
  
  ef09f79119e3f55d4e85b83a2586d41b2e4156ed2a7d28784aa880218d8c1dc623268b4232b22e254bcd91aa9d202e7a044d4d25ec289ab08b3228197beed312
- SSDEEP
  
  98304:FwcVlQ8/lL2LLeZWL0kDdtJRLum/quFUD1nUzsg:ycX1VCLeen1UpU
Score

10^/10

bitrat trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bitrattrojanupx

behavioral2

bitrattrojanupx

© 2018-2024

Terms | Privacy