bitrat

General

Target

Installerx64.rar
Size

13.8MB
Sample

230103-ye6faafh8t
MD5

2c3122f4f7be0187600dd32d2d173d3b
SHA1

e074f306abb37f5671141f5d4f9fc1efad4119fc
SHA256

bccc4ed85a1cca9413814ceaf90a4e12de07e5b0a07963ca6ea0a8b40a926550
SHA512

634555db07c3eb45b5ba82759ffe91244a6b8558017daad0ba1a48365f5eb213e70e9706b435cc06bfd075ba9703547d5f638542f8939bb7f723fe14d1999bde
SSDEEP

393216:H/N0S+2alOgOOJF1HlySgkealXT5oM3DGrSuL5/j:HCSapnybiFFAL

Score

10^/10

Malware Config

Extracted

Family

warzonerat

C2

45.139.105.147:5200

Extracted

Family

marsstealer

Botnet

Default

C2

data.topababa.com/gate.php

Extracted

Family

bitrat

Version

1.38

C2

45.139.105.147:1234

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
temp
install_file
svchost
tor_process
tor

Targets

- Target
  
  Installerx64/Installerx32.exe
- Size
  
  2.1MB
- MD5
  
  592bef1e0325ada505ec4875d5727bc1
- SHA1
  
  d6c6aa187d2b5aaff512c12948a426584382e92c
- SHA256
  
  83b8c34a7c66b407be941e59a9ce7a84ee81a8dfad3cea67e86118e96221c749
- SHA512
  
  38410a737b63a6cf123b08b74e836e75189ce6dae8d4491b4deab5791eff29a824be24d3d70a53ccaf3137222d79253385be5180fffc1e98a0a9c11b1b1e8d3e
- SSDEEP
  
  49152:tBUOgQLgF1CiOBInpLNAZpCY3iEO+IVG5r:nU7CCtOmFNAP6O
Score

10^/10

bitrat marsstealer warzonerat default evasion infostealer persistence rat stealer trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Mars Stealer
  An infostealer written in C++ based on other infostealers.
  stealer marsstealer
- Modifies security service
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Installerx64/Installerx64.exe
- Size
  
  2.1MB
- MD5
  
  592bef1e0325ada505ec4875d5727bc1
- SHA1
  
  d6c6aa187d2b5aaff512c12948a426584382e92c
- SHA256
  
  83b8c34a7c66b407be941e59a9ce7a84ee81a8dfad3cea67e86118e96221c749
- SHA512
  
  38410a737b63a6cf123b08b74e836e75189ce6dae8d4491b4deab5791eff29a824be24d3d70a53ccaf3137222d79253385be5180fffc1e98a0a9c11b1b1e8d3e
- SSDEEP
  
  49152:tBUOgQLgF1CiOBInpLNAZpCY3iEO+IVG5r:nU7CCtOmFNAP6O
Score

10^/10

bitrat marsstealer warzonerat default evasion infostealer persistence rat stealer trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Mars Stealer
  An infostealer written in C++ based on other infostealers.
  stealer marsstealer
- Modifies security service
  evasion
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4