General
-
Target
putty.exe
-
Size
157KB
-
Sample
230524-grflysbf51
-
MD5
fb9a5aa7537e9a41eaaa1b5714330895
-
SHA1
4ebf8ece21579fadd34288adf5a2b2140fd3ee8f
-
SHA256
bdcf3c8b8f3f71c76e5a192bd9dbce2061379edb57eba0d41fdc69f9172a9d6b
-
SHA512
2e8afe44d91d2f8de6da8220a34d9e1bbfe2a1fbd9b0ebbd04bc03f43dc1b133edff74bad9e5adcbe26bc7343505e9f39fd6555ede54409a66e7561fbf596da0
-
SSDEEP
3072:WTTtS/P8TSeZNgDTakOihnjbiTRjEXQAuis1Jy///f/MD:EtTBZAjOGGRviec3fE
Malware Config
Extracted
bitrat
1.38
pradeepprabhu705.hopto.org:312
-
communication_password
827ccb0eea8a706c4c34a16891f84e7b
-
tor_process
tor
Targets
-
-
Target
putty.exe
-
Size
157KB
-
MD5
fb9a5aa7537e9a41eaaa1b5714330895
-
SHA1
4ebf8ece21579fadd34288adf5a2b2140fd3ee8f
-
SHA256
bdcf3c8b8f3f71c76e5a192bd9dbce2061379edb57eba0d41fdc69f9172a9d6b
-
SHA512
2e8afe44d91d2f8de6da8220a34d9e1bbfe2a1fbd9b0ebbd04bc03f43dc1b133edff74bad9e5adcbe26bc7343505e9f39fd6555ede54409a66e7561fbf596da0
-
SSDEEP
3072:WTTtS/P8TSeZNgDTakOihnjbiTRjEXQAuis1Jy///f/MD:EtTBZAjOGGRviec3fE
Score10/10-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-