bitrat | fbecd7506cbac2937c708ec38567949f550e9f0d4a0575b157dec69d9920cf57 | Triage

Submit
Reports

Overview

overview

Static

static

1

Browser Update.js

windows7-x64

Browser Update.js

windows10-2004-x64

Sharing

General

Target

Browser Update.js
Size

606KB
Sample

240319-zkme2afb67
MD5

80f7b21c47f037118ebdce07c9ad7791
SHA1

ea386166ac8a027a7f245cbfa357320734bbcfcc
SHA256

fbecd7506cbac2937c708ec38567949f550e9f0d4a0575b157dec69d9920cf57
SHA512

b2003629653f0a4d3402b0b10654f0bfb838d56ca3168b2e5eb29bffe814554e80c9b969cc15d6ca4e4ff8dbd223e6696a9db0d7fd0c167df412fc76a3c9d469
SSDEEP

1536:5+BEG+BEVB/+BEVB/+BEVB2BEhBEZBEhBEZBEhBEZBEhBENBEFEMBEFEMBEFEMB4:n

Score

10^/10

bitrat rhadamanthys persistence stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

Browser Update.js

Resource

win7-20240221-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

Browser Update.js

Resource

win10v2004-20240226-en

bitrat rhadamanthys persistence stealer trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.233.132.136/a/z.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.233.132.136/a/s.png

Extracted

Family

bitrat

Version

1.38

C2

193.233.132.136:4404

Attributes

communication_password
93d93f0d629d26b535ee4c950717ab2b
tor_process
tor

Targets

- Target
  
  Browser Update.js
- Size
  
  606KB
- MD5
  
  80f7b21c47f037118ebdce07c9ad7791
- SHA1
  
  ea386166ac8a027a7f245cbfa357320734bbcfcc
- SHA256
  
  fbecd7506cbac2937c708ec38567949f550e9f0d4a0575b157dec69d9920cf57
- SHA512
  
  b2003629653f0a4d3402b0b10654f0bfb838d56ca3168b2e5eb29bffe814554e80c9b969cc15d6ca4e4ff8dbd223e6696a9db0d7fd0c167df412fc76a3c9d469
- SSDEEP
  
  1536:5+BEG+BEVB/+BEVB/+BEVB2BEhBEZBEhBEZBEhBEZBEhBENBEFEMBEFEMBEFEMB4:n
Score

10^/10

bitrat rhadamanthys persistence stealer trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

bitratrhadamanthyspersistencestealertrojanupx

© 2018-2024

Terms | Privacy