Overview

overview

10

Static

static

3

attachment_2137.exe

windows7-x64

1

attachment_2137.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    attachment_2137.zip

  • Size

    3.8MB

  • Sample

    231227-ndkr3sghd8

  • MD5

    c31f4f4c470b56723900912c48b4cc29

  • SHA1

    15134c97ab6e66a080cf246b99c4a7d4edbd556f

  • SHA256

    93974f2a42d247f0c551b0fd9913872c27940c0671423814c0b9a0f2021a30e5

  • SHA512

    35af5069e631a145f58a19f79df171dc17327d0a5975a054e7b07fa9282b7ab0234930cb3973c2bc3cb6e80f63eb57584ffb6df950ef87bd07b27f55089f9f2d

  • SSDEEP

    98304:N3Iec23P9qy6bn5QtDkmGrqajwjD01mjGT8c:uYPi6JuqakuTAc

Score
10/10
bitratagilenetpersistencetrojan

Malware Config

Extracted

Family

bitrat

Version

1.35

C2

snkno.duckdns.org:43413

Attributes
  • communication_password

    827ccb0eea8a706c4c34a16891f84e7b

  • tor_process

    tor

Targets

    • Target

      attachment_2137.exe

    • Size

      6.0MB

    • MD5

      37580d09f99717268666e091c21d344a

    • SHA1

      0b7df2ebdf61753c183c818db71b4b1f6fd57841

    • SHA256

      12d9848e317dcbf7dfb95649d7198fd93475f8b4cd093a252f28caeed8093001

    • SHA512

      f2a1295003d64be1c768afbc6bd0f93ba53a39a883759952246371d9552777432193c35a702697061febb192cb365843480cc52c3dc44d90312a4e8be7e66749

    • SSDEEP

      98304:JyQZRhelFuTw99bP/nCURx/PKnBWrmVjefsn+1:sQ7w99GURx/PKwQe

    Score
    10/10
    bitratagilenetpersistencetrojan

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks