Overview

overview

10

Static

static

10

stub_tor.exe

windows7-x64

10

stub_tor.exe

windows10-1703-x64

10

stub_tor.exe

windows10-2004-x64

10

stub_tor.exe

windows11-21h2-x64

10

Resubmissions

12-04-2024 13:18

240412-qj2nwsdg6z 10

12-04-2024 13:18

240412-qj13csdg6y 10

12-04-2024 13:18

240412-qj1rladg6x 10

12-04-2024 13:18

240412-qjz53aag26 10

12-04-2024 13:18

240412-qjzvasag25 10

09-04-2024 03:59

240409-ekaq1sea34 10

09-04-2024 03:58

240409-ej1aaadh98 10

09-04-2024 03:58

240409-ejnw9adh85 10

09-04-2024 03:55

240409-eg8tmshd41 10

17-02-2024 23:58

240217-31gfhacd52 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    stub_tor.exe

  • Size

    7.8MB

  • Sample

    240409-ejnw9adh85

  • MD5

    c76390d9e1052d9e708940d67b5c135d

  • SHA1

    a370a73a9dd746584428e8a939288ecffd3c80f7

  • SHA256

    caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f

  • SHA512

    4d2d38d8719cdac8a406cfa96944ee99d2d926511e64d6b6aa964d40d0d9ddb1dc6e4e6253bcb1e77b32613c0b4409ab32ea54c476018fee963574edb043dd3b

  • SSDEEP

    196608:oIRcbH4jSteTGvExwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:odHsfuExwZ6v1CPwDv3uFteg2EeJUO9E

Score
10/10
bitratpersistencetrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

7sbl4dpbubwjjghdquwg47fyq7rookd4bgm2ypm2kjzkivd7tomvczqd.onion:440

Attributes
  • communication_password

    4124bc0a9335c27f086f24ba207a4912

  • install_dir

    Minecraft

  • install_file

    Runtime_Broker

  • tor_process

    tor

Targets

    • Target

      stub_tor.exe

    • Size

      7.8MB

    • MD5

      c76390d9e1052d9e708940d67b5c135d

    • SHA1

      a370a73a9dd746584428e8a939288ecffd3c80f7

    • SHA256

      caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f

    • SHA512

      4d2d38d8719cdac8a406cfa96944ee99d2d926511e64d6b6aa964d40d0d9ddb1dc6e4e6253bcb1e77b32613c0b4409ab32ea54c476018fee963574edb043dd3b

    • SSDEEP

      196608:oIRcbH4jSteTGvExwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:odHsfuExwZ6v1CPwDv3uFteg2EeJUO9E

    Score
    10/10
    bitratpersistencetrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks