Overview

overview

10

Static

static

1

4bbf8447f2...13.exe

windows7-x64

10

4bbf8447f2...13.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.zip

  • Size

    4.1MB

  • Sample

    230321-rwf4dsda9t

  • MD5

    9e9135228040acb43c1cdb47a603c9c1

  • SHA1

    2439376b9c5360c357b799645f30404faa6a854c

  • SHA256

    6c3b0f6fa0f3ea807c3a7ac53bfa13930c7b806020c8b7ccf2825b2b6f3ae771

  • SHA512

    1006d63e50b69b6d4941c5bb50ea7b3f485eeb280a2ecf2cd0c9d3625402cff76c49424d264a0d325feb94a6dce378e081ed2972f12399474bff0311b759ee7a

  • SSDEEP

    98304:QjxL6szJ9exJ7suxDGPIX2P/kR6neZFA9HxMVLPLKj1hh5sXL:ybJSJ7s+nX2P/kR6ecrMVLPchhW7

Score
10/10
bitratredlineinfostealertrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

185.246.220.122:1488

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • tor_process

    tor

Extracted

Family

redline

C2

185.246.220.122:7164

Attributes
  • auth_value

    bc36aaf1c6447fa611401422deaa29dd

Targets

    • Target

      4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513.exe

    • Size

      4.2MB

    • MD5

      446215913dd436aae1317ad90bf75677

    • SHA1

      6f9c887f3fe17b16045fd2fa2d754c744447a4d2

    • SHA256

      4bbf8447f25f44cabc87e9e20bf6594475f999a58e86c76bbad265d1db9bd513

    • SHA512

      dd1b3f89efb92245640289b43ceedbf3bb562578286966d3a72bd03ff145f36054788353d39804489174c6f9018624820f54cad560394be7cf09f5127188acb3

    • SSDEEP

      98304:scyyd+oHduCY3f3rFQtAjgyzZdGxHeqWF0KfgOjCH:sAswQFQtLUGFeqlm

    Score
    10/10
    bitratredlineinfostealertrojan

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks