bitrat | d8276830ad97867bf13dc04ae0190e2c3dbcb14c08b5fe30e609ef817b110ca3 | Triage

Submit
Reports

Overview

overview

Static

static

7

ClientCrack.exe

windows7-x64

ClientCrack.exe

windows10-2004-x64

Sharing

General

Target

ClientCrack.exe
Size

296KB
Sample

230613-xzjlksba28
MD5

bc5462da689944a5426fa4d933dc5fdf
SHA1

8a6ab3b4ed020b4d3b60d4aa4251d2f51f5d6308
SHA256

d8276830ad97867bf13dc04ae0190e2c3dbcb14c08b5fe30e609ef817b110ca3
SHA512

35abd0160381c6c16a011ce77d8abc8d5545e1dc9ea2928e4074b9967f97404cbe134b4d3acd90dd8ff9ff2e7f86cf57678d800c975650b6f7176347e5952cf7
SSDEEP

6144:NMH4eWseynVKsxUthS/nOS2J0zx9F4/Gksi+4CeeTf8X8FQ1M:NMH4sn81Par0019F4/GkudRTf8SQ1M

Score

10^/10

bitrat xmrig miner persistence trojan vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

ClientCrack.exe

Resource

win7-20230220-en

bitrat xmrig miner persistence trojan vmprotect

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

ClientCrack.exe

Resource

win10v2004-20230220-en

xmrig miner vmprotect

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

elensias.duckdns.org:0

Attributes

communication_password
56c82ccd658e09e829f16bb99457bcbc
install_dir
gnugnu
install_file
chorme.exe
tor_process
tori

Targets

- Target
  
  ClientCrack.exe
- Size
  
  296KB
- MD5
  
  bc5462da689944a5426fa4d933dc5fdf
- SHA1
  
  8a6ab3b4ed020b4d3b60d4aa4251d2f51f5d6308
- SHA256
  
  d8276830ad97867bf13dc04ae0190e2c3dbcb14c08b5fe30e609ef817b110ca3
- SHA512
  
  35abd0160381c6c16a011ce77d8abc8d5545e1dc9ea2928e4074b9967f97404cbe134b4d3acd90dd8ff9ff2e7f86cf57678d800c975650b6f7176347e5952cf7
- SSDEEP
  
  6144:NMH4eWseynVKsxUthS/nOS2J0zx9F4/Gksi+4CeeTf8X8FQ1M:NMH4sn81Par0019F4/GkudRTf8SQ1M
Score

10^/10

bitrat xmrig miner persistence trojan vmprotect
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bitratxmrigminerpersistencetrojanvmprotect

behavioral2

xmrigminervmprotect

© 2018-2024

Terms | Privacy