Overview

overview

10

Static

static

3

6139bf20b4...3d.exe

windows7-x64

10

6139bf20b4...3d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ef194a3933b45e376e35ba7c4b14bf49.bin

  • Size

    7.7MB

  • Sample

    230605-p89v5ahc6x

  • MD5

    b083e6084cf4848225623b5dd680a380

  • SHA1

    ad38aa64922e2964c2ed0cd6f51b3f1217d29d15

  • SHA256

    824bfb1adf72681cee3da426dee064d9cdf8b4062941bc7232957b6055709b22

  • SHA512

    72be11f3d916afcc290773ffe1e08023b4301593c1c402c13be2440b446882c51f0ba56c1d4c0f61f3bd0e56b7b4b611bec3ff750b867e4f5f60a8a9afaccab5

  • SSDEEP

    196608:fC/6NTMcaVpiRifidXGCBQqjTSGiex9Lh3dk:fCyN1sbfilGCBQqT3LLh3K

Score
10/10
bitratevasionpersistencetrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

rxbwrzmdaw27pt7lrrhophwwlcyuqkw3n2dhpr5gu5bjh3ut2ot2mwid.onion:80

Attributes
  • communication_password

    5ffc3746012bb1139c6bf49107694c1a

  • tor_process

    Smartscreens

Targets

    • Target

      6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d.exe

    • Size

      8.1MB

    • MD5

      ef194a3933b45e376e35ba7c4b14bf49

    • SHA1

      0830bceebac97ee4ecf909e22189c858865a553f

    • SHA256

      6139bf20b47414826d17354ffd408c3a6182ed05d2688bafe45a8f9d4c18133d

    • SHA512

      c0777e7ea276d983a72cdc6286b22e8267b1f2fe7baf3aaf47e63400bca1ba2ce88d2a59fe1d8bce001c3accdcfcd04f5e4552c3a659206d9e1493c45a71d3fd

    • SSDEEP

      98304:voRRzohHPzOY8MqNY5rONLPW75h1Zfvcls5+wMLi7VjtY2xhSzmUOlWg7t:vCRctM0yNDWL1FvclsGWhD9UOJp

    Score
    10/10
    bitratevasionpersistencetrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Sets service image path in registry

      persistence

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

6
T1112

Scripting

1
T1064

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks