General

  • Target

    Exmip.exe

  • Size

    303KB

  • Sample

    240215-p6ft9sga8s

  • MD5

    05c5742158cb40afe07e715fb171adcf

  • SHA1

    3ed365cd79b36a6ca50a5d45f4c210b4b6f027d4

  • SHA256

    6e89b0c8f8078991887ba81a7e60b561b71170bef3a2440e3932d6b5293d0a07

  • SHA512

    646b3bfc0340b3372a0aee475cbad92ce44666958bb6e546b8dbc1e12a38ac9fc691bff6225e10a7ada6392067d31c0608929a92f7296b99ec37b3c276f08ce4

  • SSDEEP

    6144:7w1zfkC0CDpPIQuvryFS3Ltp4mZnOous7U4UUU3UUUs9rOA:7wxfkCPKQuToS3zZnBuiU4UUU3UUUca

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

103.153.182.247:6161

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • install_dir

    Install path

  • install_file

    Install name

  • tor_process

    tor

Targets

    • Target

      Exmip.exe

    • Size

      303KB

    • MD5

      05c5742158cb40afe07e715fb171adcf

    • SHA1

      3ed365cd79b36a6ca50a5d45f4c210b4b6f027d4

    • SHA256

      6e89b0c8f8078991887ba81a7e60b561b71170bef3a2440e3932d6b5293d0a07

    • SHA512

      646b3bfc0340b3372a0aee475cbad92ce44666958bb6e546b8dbc1e12a38ac9fc691bff6225e10a7ada6392067d31c0608929a92f7296b99ec37b3c276f08ce4

    • SSDEEP

      6144:7w1zfkC0CDpPIQuvryFS3Ltp4mZnOous7U4UUU3UUUs9rOA:7wxfkCPKQuToS3zZnBuiU4UUU3UUUca

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Drops startup file

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Tasks