bitrat | 36682e454c21cf545e611f5b5de9115c164433a75b4b20e10e31c37e785c2a14 | Triage

Sharing

General

Target

test_bat_c.zip
Size

10.6MB
Sample

230518-gc1ctahg96
MD5

7b76c79a2a072de74409a6bc87f1e08e
SHA1

7506893958b18a466aeafb32f2e926194887f248
SHA256

36682e454c21cf545e611f5b5de9115c164433a75b4b20e10e31c37e785c2a14
SHA512

49180cb178e714e1f444a128abb27b65a3f1bfecda10777106962a25da60ba16a63f791cc80fba5f34a0c6bd800d03966de71d16d1075995e11cd58f7b7b2868
SSDEEP

196608:hOjiwJ1nC8JY26OVSHB/E1pYNPC+UlSmZu40tOoFQUGuGDVlPvrwC7eJYd3/yT9:hOjie1nJY264kJkpYNPVUq40tjcHE4el

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

91.151.89.242:3434

Attributes

communication_password
3c3662bcb661d6de679c636744c66b62
tor_process
tor

Targets

- Target
  
  test_bat_c/96c2a10be0c3dbe0d46fd81787b72d26aabab425cc5b0cc317f2035f272294c7.bat
- Size
  
  3.8MB
- MD5
  
  6fc558d212f65828c274f27909e51aa7
- SHA1
  
  612487c386d838f506021ff846b47944b255a6a3
- SHA256
  
  96c2a10be0c3dbe0d46fd81787b72d26aabab425cc5b0cc317f2035f272294c7
- SHA512
  
  a9a2218f65e5c48c8906505f1da7061179e2a749c6e93146ea33badfb0d4bda04433861d144aa4decccaca2e1c4ddf0db67e749602cf1d41091c29426c8cab1c
- SSDEEP
  
  49152:2EqA3wg9X6szO4oX2nOw/YNBsXCzJtitbEbyzIBlkW1fMxpqZ8tAO3:z
Score

10^/10

bitrat trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  test_bat_c/e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat
- Size
  
  10.3MB
- MD5
  
  db149b83156f710e18e2233db671dc56
- SHA1
  
  ab3a8d2ec8edffb4ac434f11d4af01de8605f558
- SHA256
  
  e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20
- SHA512
  
  21b8d53854978077ea362c75fa0ceebab864a63c62d1b4cf65fcd5d9c74db23144f824957d877825e247fae786183a672e458a7b623364a9df85df34c4c424bf
- SSDEEP
  
  49152:NgsDwfz/8H9hPHoep7Qf0f1on7wl/Y/I+3CEwYwmFK4ulynWtDWxTQP4zCrpaeNB:/
Score

10^/10
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4