General

  • Target

    Nvokcuobkn.exe

  • Size

    51KB

  • Sample

    240224-p2zrkscg9z

  • MD5

    8647ffb0d889ea1933f7a4e7771094c0

  • SHA1

    5c20b6cf56287c18566e50b0249e6cd9285f3ca3

  • SHA256

    6570e239d47518afaf8baeed1da31b475ec07ee1256e85bd0318d397f40d4e5c

  • SHA512

    26c47cf2ceb3a6e7d3d3b7f7d8934d6d769d31d9d279479a141df6ae2057e8b2644e12a225f56e5306529133e1a793b9500e5633732ef586464ea2c8fd43957c

  • SSDEEP

    768:ibNdv/q2bAXYN+/sHyIoY1Dufiy1SSP4+acdU9/nKPUTV4A5Ynn8w/Ayfmxx:i+7+1DZy1LfaF/nEUitnn8gAyfw

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

103.153.182.247:6161

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • install_dir

    Install path

  • install_file

    Install name

  • tor_process

    tor

Targets

    • Target

      Nvokcuobkn.exe

    • Size

      51KB

    • MD5

      8647ffb0d889ea1933f7a4e7771094c0

    • SHA1

      5c20b6cf56287c18566e50b0249e6cd9285f3ca3

    • SHA256

      6570e239d47518afaf8baeed1da31b475ec07ee1256e85bd0318d397f40d4e5c

    • SHA512

      26c47cf2ceb3a6e7d3d3b7f7d8934d6d769d31d9d279479a141df6ae2057e8b2644e12a225f56e5306529133e1a793b9500e5633732ef586464ea2c8fd43957c

    • SSDEEP

      768:ibNdv/q2bAXYN+/sHyIoY1Dufiy1SSP4+acdU9/nKPUTV4A5Ynn8w/Ayfmxx:i+7+1DZy1LfaF/nEUitnn8gAyfw

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Drops startup file

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Tasks