General

  • Target

    04d43d6b0a1277e7d1e93415f1aa6a1e.exe

  • Size

    9.9MB

  • Sample

    221205-h9ja8scf91

  • MD5

    04d43d6b0a1277e7d1e93415f1aa6a1e

  • SHA1

    35692f031bf902a62a5b09d4437fe35c7bbdc0b4

  • SHA256

    76f4028be569b642d396b8e8936779493280aabcc3329f9058c19e78936c113e

  • SHA512

    5c8e27422ee6d73192d1caa3ab1535119e6d2667a28ac6b094a1747ac129e66e2a9122ea3c1f86ad5193b7b2beefa69c50224c558f0400893d729d25c1434dc3

  • SSDEEP

    196608:Whld/yJZn3gqkuSJHA2V6dQmRrdA6lakaqdVT8UdyDAS:yldKJZ3zkuIg2odQOlawdqUmAS

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

79.137.206.203:7777

Attributes
  • communication_password

    8e930496927757aac0dbd2438cb3f4f6

  • install_dir

    %APPDATA%

  • install_file

    ROCKEEETS

  • tor_process

    tls

Targets

    • Target

      04d43d6b0a1277e7d1e93415f1aa6a1e.exe

    • Size

      9.9MB

    • MD5

      04d43d6b0a1277e7d1e93415f1aa6a1e

    • SHA1

      35692f031bf902a62a5b09d4437fe35c7bbdc0b4

    • SHA256

      76f4028be569b642d396b8e8936779493280aabcc3329f9058c19e78936c113e

    • SHA512

      5c8e27422ee6d73192d1caa3ab1535119e6d2667a28ac6b094a1747ac129e66e2a9122ea3c1f86ad5193b7b2beefa69c50224c558f0400893d729d25c1434dc3

    • SSDEEP

      196608:Whld/yJZn3gqkuSJHA2V6dQmRrdA6lakaqdVT8UdyDAS:yldKJZ3zkuIg2odQOlawdqUmAS

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks