bitrat | d77795d4563d03c0ec79533ac468580fa94ae26a54b5e14e34c3d6bdf9ae51b0 | Triage

Submit
Reports

Overview

overview

Static

static

8

Documento_...23.xls

windows7-x64

Documento_...23.xls

windows10-2004-x64

Sharing

General

Target

Documento_Orslgroup_S.R.L_09_2023.xls
Size

100KB
Sample

230918-kpa58sae87
MD5

c678822324d3db11afb66ad4dc9a5bb8
SHA1

db82a3d3de0b0d90cc302e903e18dd9d2fb684c4
SHA256

d77795d4563d03c0ec79533ac468580fa94ae26a54b5e14e34c3d6bdf9ae51b0
SHA512

7a753d605ee1e5e14d3dbf0a67feb80c8fee21c0bdc7cba36298eead743b541e65d5d4d3f25124ec8d4ad54c38744f244bb721f7c0edb76d1a3441c0d291d03e
SSDEEP

3072:BrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnA9tJE2zuxq+fr9wBLa71ba2ryLTHeYD:pxEtjPOtioVjDGUU1qfDlavx+W2QnAnF

Score

10^/10

bitrat macro macro_on_action trojan

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

Documento_Orslgroup_S.R.L_09_2023.xls

Resource

win7-20230831-en

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

Documento_Orslgroup_S.R.L_09_2023.xls

Resource

win10v2004-20230915-en

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

185.225.75.68:3569

Attributes

communication_password
0edcbe7d888380c49e7d1dcf67b6ea6e
tor_process
tor

Targets

- Target
  
  Documento_Orslgroup_S.R.L_09_2023.xls
- Size
  
  100KB
- MD5
  
  c678822324d3db11afb66ad4dc9a5bb8
- SHA1
  
  db82a3d3de0b0d90cc302e903e18dd9d2fb684c4
- SHA256
  
  d77795d4563d03c0ec79533ac468580fa94ae26a54b5e14e34c3d6bdf9ae51b0
- SHA512
  
  7a753d605ee1e5e14d3dbf0a67feb80c8fee21c0bdc7cba36298eead743b541e65d5d4d3f25124ec8d4ad54c38744f244bb721f7c0edb76d1a3441c0d291d03e
- SSDEEP
  
  3072:BrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnA9tJE2zuxq+fr9wBLa71ba2ryLTHeYD:pxEtjPOtioVjDGUU1qfDlavx+W2QnAnF
Score

10^/10

bitrat trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

© 2018-2024

Terms | Privacy