bitrat | d0c42bf9edad21b80063db0a7fe9a3d1486c72551fc04b622e44529e5610fa1f | Triage

Submit
Reports

Overview

overview

Static

static

3

BHThisAcco...r2.exe

windows7-x64

BHThisAcco...r2.exe

windows10-2004-x64

Sharing

General

Target

BHThisAccountManger2.EXE
Size

6.2MB
Sample

230901-gs3swach2z
MD5

c2eb25d76d29c98f90d8c61004149a0c
SHA1

2c576db59c1c7e13d3572b9c9857bda4bcbe4fe1
SHA256

d0c42bf9edad21b80063db0a7fe9a3d1486c72551fc04b622e44529e5610fa1f
SHA512

d5493612fce6ba1d7d9ad79cd301d165686b7ca8f105407d094ad8528c1a9d76ba7ac8fc51d462fdbe6bae8a1f5354a96aad47ea1863e3d575ed985f60b04ade
SSDEEP

98304:cJ/yV00WA5L+wvgG7Wwpa1ugWYB5ADouSY4oLWL/6IkV0qBh6WVs3fER3ckWQP8B:QqV00WAcvwpCB4DBMuIQ08h6AfWoBk

Score

10^/10

bitrat persistence trojan vmprotect

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

BHThisAccountManger2.exe

Resource

win7-20230831-en

bitrat persistence trojan vmprotect

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

BHThisAccountManger2.exe

Resource

win10v2004-20230831-en

bitrat persistence trojan vmprotect

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

rornfl12.duckdns.org:3072

Attributes

communication_password
be767243ca8f574c740fb4c26cc6dceb
install_dir
chrome
install_file
chome.exe
tor_process
tor

Targets

- Target
  
  BHThisAccountManger2.EXE
- Size
  
  6.2MB
- MD5
  
  c2eb25d76d29c98f90d8c61004149a0c
- SHA1
  
  2c576db59c1c7e13d3572b9c9857bda4bcbe4fe1
- SHA256
  
  d0c42bf9edad21b80063db0a7fe9a3d1486c72551fc04b622e44529e5610fa1f
- SHA512
  
  d5493612fce6ba1d7d9ad79cd301d165686b7ca8f105407d094ad8528c1a9d76ba7ac8fc51d462fdbe6bae8a1f5354a96aad47ea1863e3d575ed985f60b04ade
- SSDEEP
  
  98304:cJ/yV00WA5L+wvgG7Wwpa1ugWYB5ADouSY4oLWL/6IkV0qBh6WVs3fER3ckWQP8B:QqV00WAcvwpCB4DBMuIQ08h6AfWoBk
Score

10^/10

bitrat persistence trojan vmprotect
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

bitratpersistencetrojanvmprotect

behavioral2

bitratpersistencetrojanvmprotect

© 2018-2024

Terms | Privacy