Overview

overview

10

Static

static

3

cb1210c951...cf.exe

windows7-x64

10

cb1210c951...cf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cb1210c9515e3e6bf5716048cb7ba3cf

  • Size

    2.1MB

  • Sample

    240315-ljtwtsda5w

  • MD5

    cb1210c9515e3e6bf5716048cb7ba3cf

  • SHA1

    9a57f751a71a63ac9b998a6a19b7a38b96349e53

  • SHA256

    42c77364cebcb01102a85a8bb9a053a0e01d633c2e9710256e9d174a9f67effd

  • SHA512

    ee6ca757e4dec2230255c26f66dfb20e225e22581e3c90359f168e976a5e12250ed24dd5305b6c59a673036841cedce682601fef5f4c9304843571c941c96990

  • SSDEEP

    49152:1kIxSRHorTDMyDmFscevbcd/Fkl1DI8wGLSK4Erm8jJE3hGJGYRV6O37PckR1h:1k8SeDMbFs3Ad/FUIyHpcMhn1370kR1

Score
10/10
bitratpersistencetrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

gotti.ddnsgeek.com:8088

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • tor_process

    tor

Targets

    • Target

      cb1210c9515e3e6bf5716048cb7ba3cf

    • Size

      2.1MB

    • MD5

      cb1210c9515e3e6bf5716048cb7ba3cf

    • SHA1

      9a57f751a71a63ac9b998a6a19b7a38b96349e53

    • SHA256

      42c77364cebcb01102a85a8bb9a053a0e01d633c2e9710256e9d174a9f67effd

    • SHA512

      ee6ca757e4dec2230255c26f66dfb20e225e22581e3c90359f168e976a5e12250ed24dd5305b6c59a673036841cedce682601fef5f4c9304843571c941c96990

    • SSDEEP

      49152:1kIxSRHorTDMyDmFscevbcd/Fkl1DI8wGLSK4Erm8jJE3hGJGYRV6O37PckR1h:1k8SeDMbFs3Ad/FUIyHpcMhn1370kR1

    Score
    10/10
    bitratpersistencetrojan

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Modifies WinLogon for persistence

      persistence

    • Uses the VBS compiler for execution

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

1
T1112

Scripting

1
T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks