bitrat | f5fbd66fa754b518289e512f61ed872924ff06f80ec48dc08bd270b179d783cd | Triage

Submit
Reports

Overview

overview

Static

static

3

d345138f48...36.exe

windows7-x64

9

d345138f48...36.exe

windows10-2004-x64

Sharing

General

Target

d345138f48b7d610e4f7d280504a5a36
Size

2.7MB
Sample

240318-mfxc8afa9s
MD5

d345138f48b7d610e4f7d280504a5a36
SHA1

f4f24851b4249d37bcddebbe3a6084266f7dcf2a
SHA256

f5fbd66fa754b518289e512f61ed872924ff06f80ec48dc08bd270b179d783cd
SHA512

3e4fe2ad60059e1bfc696dfaeb1399c3a9c01ff44a6728fe6244dc7ebf27d18429c9e0e9b72a05727911ed6337eece15a242b8d5ce0d723350ad459772069c69
SSDEEP

49152:6PbUDBy6zxsQZr5nGoL6DGrfTt5L5S2+F96XDumJBAwI8KSWBDfUHM6M6a/9K9zE:68r19k6SGeeKD9fUs6Fa/Y9zztzzK

Score

10^/10

bitrat evasion trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

d345138f48b7d610e4f7d280504a5a36.exe

Resource

win7-20240221-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

d345138f48b7d610e4f7d280504a5a36.exe

Resource

win10v2004-20240226-en

bitrat evasion trojan upx

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

dopeonlineforwarding.xyz:6620

Attributes

communication_password
d74a214501c1c40b2c77e995082f3587
tor_process
tor

Targets

- Target
  
  d345138f48b7d610e4f7d280504a5a36
- Size
  
  2.7MB
- MD5
  
  d345138f48b7d610e4f7d280504a5a36
- SHA1
  
  f4f24851b4249d37bcddebbe3a6084266f7dcf2a
- SHA256
  
  f5fbd66fa754b518289e512f61ed872924ff06f80ec48dc08bd270b179d783cd
- SHA512
  
  3e4fe2ad60059e1bfc696dfaeb1399c3a9c01ff44a6728fe6244dc7ebf27d18429c9e0e9b72a05727911ed6337eece15a242b8d5ce0d723350ad459772069c69
- SSDEEP
  
  49152:6PbUDBy6zxsQZr5nGoL6DGrfTt5L5S2+F96XDumJBAwI8KSWBDfUHM6M6a/9K9zE:68r19k6SGeeKD9fUs6Fa/Y9zztzzK
Score

10^/10

evasion upx bitrat trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- CustAttr .NET packer
  Detects CustAttr .NET packer in memory.
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

bitratevasiontrojanupx

© 2018-2024

Terms | Privacy