Overview

overview

10

Static

static

$RECYCLE.B...T6.exe

windows7-x64

$RECYCLE.B...T6.exe

windows10-2004-x64

$RECYCLE.B...T6.exe

windows7-x64

10

$RECYCLE.B...T6.exe

windows10-2004-x64

10

67_03_635_PDF.exe

windows7-x64

1

67_03_635_PDF.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    67_03_635_PDF.zip

  • Size

    6.0MB

  • Sample

    221202-tdh65sfh3z

  • MD5

    7e9feb691a45a5261c03d494fb13c411

  • SHA1

    433934d3e455abb51e8d96560a984d104346e3da

  • SHA256

    67150053a1165ad21d5d7ea59ee204683ac66f5fc35885ec1375c647a001c70f

  • SHA512

    abf4dc6c4be9a69b0c3c4b2481a0fbf5f391fedeec48df914aea2dfc358f5f13240e941e5387e169811efe44a6b72ced88e59e4b339662403df12fd2c7def4f4

  • SSDEEP

    98304:f8nh30q9dtee2/ILp+297Mj3vUfSeMtqw+HYd+Kb5mvEdE+oU10B+e82:f8hE8aJgtJ+jfUqexw+HHKbMvEW+rZ2

Score
10/10
bitratpersistencetrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

bitone9090.duckdns.org:9090

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    tor

Targets

    • Target

      $RECYCLE.BIN/$I2M8ZT6.exe

    • Size

      72B

    • MD5

      efa75dfa404c023aa5a4049bd0d4e7c9

    • SHA1

      8e3779732f1307a876f296e910aef8bb8d318233

    • SHA256

      24b40323e84e24a6234e2744b93dd848c0dcede55c4e7e8e9b85d20cde529af2

    • SHA512

      89427364d2ba45f7cd050e112feb6089b4ffea2f790f7632dfdeb1f7ca12b6bae1749e60781fec070ba697b1d280c8e968fdc2e368ea3238ed65146759b11da3

    Score
    1/10
    behavioral1behavioral2

    • Target

      $RECYCLE.BIN/$R2M8ZT6.exe

    • Size

      54KB

    • MD5

      c004e1d5f04056bc743f1d7c480d90de

    • SHA1

      3411e17f0f9306393ba21ca6837b442059769c2e

    • SHA256

      5589f40d0cc25a5296c1137dcd76317f0bda17b29e3c6fe3660624e69c47053f

    • SHA512

      e143f1e930f5f1c526d472dce1b863832a4be65ea3c31d6ef6a1d8eae4ebe164dfcb2a345d45db2adee6a1d774149e5497f1b592bbfe6dc000d4ccb091cde721

    • SSDEEP

      1536:PrqZtwkGrvUUUUUJUUUUUUQzZEOASUBZS+ZwIdHOCx2PMg:PrqPwkGrUUUUUJUUUUUUwISUQ

    Score
    10/10
    bitratpersistencetrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      67_03_635_PDF.exe

    • Size

      3.0MB

    • MD5

      147c968922ab4d76d5b63ea9514bff69

    • SHA1

      4ea9cf1c7703e3f0ed5a7be291dc27b44230d771

    • SHA256

      7b384d4cad84fa53ded2466e2600f2658b85f66d7155cf4895d1f81810c82ca5

    • SHA512

      2f7146db39f13edd8ff10aebaa554366fcf33754521b25d29e354bfb4e29f9f2b22438a847f3c52b736791237191214e718bd8b361dcd6b2b8ccecdcebdd2391

    • SSDEEP

      98304:y81XfekfvDqec/kf3MuR38VDRkB00XWz+pGi:y8ZWQOLsf52V1k+0I

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks