Overview

overview

10

Static

static

10

DDoS Panel V3.exe

windows7-x64

10

DDoS Panel V3.exe

windows10-1703-x64

10

DDoS Panel V3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DDoS Panel V3.exe

  • Size

    8.2MB

  • Sample

    230304-zs2vpaec3v

  • MD5

    17f1879dec133b8328417891d6ca2c23

  • SHA1

    caa3b816c9f0c4d7445787599c8475ac7b71339c

  • SHA256

    c719392010e985181bc9dd1dd5e6ae8a3e3717ef8f4a541554df57f725008d2f

  • SHA512

    fa103d3931bfb7b7acf8dc2ed3859768de32b4b53a1be188036011aeac615e80737d3eb0bb76a4bc2c34cf221da0cc0fdad6c38d876b12341c6253e376da7e47

  • SSDEEP

    196608:NIRcbH4jSteTGv6xwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOfI:NdHsfu6xwZ6v1CPwDv3uFteg2EeJUO9k

Score
10/10
bitratpersistencetrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

sef7qgz77oamhl5gimls62lekmig5ormf6dcgftblhaxt2cn7emkbuid.onion:80

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • install_dir

    appdata

  • install_file

    HealthCheck

  • tor_process

    WebSvc

Targets

    • Target

      DDoS Panel V3.exe

    • Size

      8.2MB

    • MD5

      17f1879dec133b8328417891d6ca2c23

    • SHA1

      caa3b816c9f0c4d7445787599c8475ac7b71339c

    • SHA256

      c719392010e985181bc9dd1dd5e6ae8a3e3717ef8f4a541554df57f725008d2f

    • SHA512

      fa103d3931bfb7b7acf8dc2ed3859768de32b4b53a1be188036011aeac615e80737d3eb0bb76a4bc2c34cf221da0cc0fdad6c38d876b12341c6253e376da7e47

    • SSDEEP

      196608:NIRcbH4jSteTGv6xwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOfI:NdHsfu6xwZ6v1CPwDv3uFteg2EeJUO9k

    Score
    10/10
    bitratpersistencetrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v6

Tasks