General
-
Target
04d43d6b0a1277e7d1e93415f1aa6a1e.exe
-
Size
9.9MB
-
Sample
221205-h9ja8scf91
-
MD5
04d43d6b0a1277e7d1e93415f1aa6a1e
-
SHA1
35692f031bf902a62a5b09d4437fe35c7bbdc0b4
-
SHA256
76f4028be569b642d396b8e8936779493280aabcc3329f9058c19e78936c113e
-
SHA512
5c8e27422ee6d73192d1caa3ab1535119e6d2667a28ac6b094a1747ac129e66e2a9122ea3c1f86ad5193b7b2beefa69c50224c558f0400893d729d25c1434dc3
-
SSDEEP
196608:Whld/yJZn3gqkuSJHA2V6dQmRrdA6lakaqdVT8UdyDAS:yldKJZ3zkuIg2odQOlawdqUmAS
Malware Config
Extracted
bitrat
1.38
79.137.206.203:7777
-
communication_password
8e930496927757aac0dbd2438cb3f4f6
-
install_dir
%APPDATA%
-
install_file
ROCKEEETS
-
tor_process
tls
Targets
-
-
Target
04d43d6b0a1277e7d1e93415f1aa6a1e.exe
-
Size
9.9MB
-
MD5
04d43d6b0a1277e7d1e93415f1aa6a1e
-
SHA1
35692f031bf902a62a5b09d4437fe35c7bbdc0b4
-
SHA256
76f4028be569b642d396b8e8936779493280aabcc3329f9058c19e78936c113e
-
SHA512
5c8e27422ee6d73192d1caa3ab1535119e6d2667a28ac6b094a1747ac129e66e2a9122ea3c1f86ad5193b7b2beefa69c50224c558f0400893d729d25c1434dc3
-
SSDEEP
196608:Whld/yJZn3gqkuSJHA2V6dQmRrdA6lakaqdVT8UdyDAS:yldKJZ3zkuIg2odQOlawdqUmAS
Score10/10-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-