Overview

overview

10

Static

static

1

test_bat_c...c7.bat

windows7-x64

7

test_bat_c...c7.bat

windows10-2004-x64

10

test_bat_c...20.bat

windows7-x64

7

test_bat_c...20.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test_bat_c.zip

  • Size

    10.6MB

  • Sample

    230518-gc1ctahg96

  • MD5

    7b76c79a2a072de74409a6bc87f1e08e

  • SHA1

    7506893958b18a466aeafb32f2e926194887f248

  • SHA256

    36682e454c21cf545e611f5b5de9115c164433a75b4b20e10e31c37e785c2a14

  • SHA512

    49180cb178e714e1f444a128abb27b65a3f1bfecda10777106962a25da60ba16a63f791cc80fba5f34a0c6bd800d03966de71d16d1075995e11cd58f7b7b2868

  • SSDEEP

    196608:hOjiwJ1nC8JY26OVSHB/E1pYNPC+UlSmZu40tOoFQUGuGDVlPvrwC7eJYd3/yT9:hOjie1nJY264kJkpYNPVUq40tjcHE4el

Score
10/10
bitrattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

91.151.89.242:3434

Attributes
  • communication_password

    3c3662bcb661d6de679c636744c66b62

  • tor_process

    tor

Targets

    • Target

      test_bat_c/96c2a10be0c3dbe0d46fd81787b72d26aabab425cc5b0cc317f2035f272294c7.bat

    • Size

      3.8MB

    • MD5

      6fc558d212f65828c274f27909e51aa7

    • SHA1

      612487c386d838f506021ff846b47944b255a6a3

    • SHA256

      96c2a10be0c3dbe0d46fd81787b72d26aabab425cc5b0cc317f2035f272294c7

    • SHA512

      a9a2218f65e5c48c8906505f1da7061179e2a749c6e93146ea33badfb0d4bda04433861d144aa4decccaca2e1c4ddf0db67e749602cf1d41091c29426c8cab1c

    • SSDEEP

      49152:2EqA3wg9X6szO4oX2nOw/YNBsXCzJtitbEbyzIBlkW1fMxpqZ8tAO3:z

    Score
    10/10
    bitrattrojan

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      test_bat_c/e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20.bat

    • Size

      10.3MB

    • MD5

      db149b83156f710e18e2233db671dc56

    • SHA1

      ab3a8d2ec8edffb4ac434f11d4af01de8605f558

    • SHA256

      e8057880d925de1696612198fce75da7cb732e08c6c4756547484d46e25d9f20

    • SHA512

      21b8d53854978077ea362c75fa0ceebab864a63c62d1b4cf65fcd5d9c74db23144f824957d877825e247fae786183a672e458a7b623364a9df85df34c4c424bf

    • SSDEEP

      49152:NgsDwfz/8H9hPHoep7Qf0f1on7wl/Y/I+3CEwYwmFK4ulynWtDWxTQP4zCrpaeNB:/

    Score
    10/10

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks