Resubmissions

09-04-2024 13:06

240409-qcaa3aba2z 10

09-04-2024 13:06

240409-qb91asba2y 10

09-04-2024 13:06

240409-qb9drsba2x 10

09-04-2024 13:06

240409-qb831afg26 10

28-08-2023 01:00

230828-bcmttsgb4v 10

General

  • Target

    03b9dd8b1e16ad5c2a605ad6b18493a7.bin

  • Size

    4.8MB

  • Sample

    240409-qb831afg26

  • MD5

    109700d193697797637b4ced2afdb74e

  • SHA1

    3dde85662d63d2cd05b5ff0fac343154d95c0dc8

  • SHA256

    00ec62acc47ff0297165650e13074aa49207441ee32d6718e72c87ea3e5b817e

  • SHA512

    5033980fbebb1306ae39be2bd4b79f79b79789480f9b6d1e3f307610bd581030ea790ca6e0c35ab93d6b00f3b67b66e7c6584c9a4b09cd14b0eb3bea8b028a10

  • SSDEEP

    98304:TNeeFxfl8Q0AR5sJi9zF10BOja0eLjuW3xZW+fUZyDKPjl0AMPP+W:fN0q5hV0BOjYju4k+fKwnPPv

Score
10/10

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

tcki6mrrcnrt33qy52viv7m64y6hepkv646nnzglrkbgytyt6b2hdrid.onion:80

Attributes
  • communication_password

    827ccb0eea8a706c4c34a16891f84e7b

  • tor_process

    dllhost

Targets

    • Target

      06f5ae2998205719e3541415641a8afc2f5d6877b50c860df066e0e95c7ed3f3.bin

    • Size

      7.8MB

    • MD5

      03b9dd8b1e16ad5c2a605ad6b18493a7

    • SHA1

      725f4473d8e09a8a9fcad2e8900dfb74623d4f18

    • SHA256

      06f5ae2998205719e3541415641a8afc2f5d6877b50c860df066e0e95c7ed3f3

    • SHA512

      8c5c077bd7575483b3601221b77e5b49b9acb7181fe73173dd5879cd19b6d517b5f2454390884ea87490da72cb2e37b5d476132f96415a68b209ce740c7b1c4f

    • SSDEEP

      196608:LIRcbH4jSteTGvwxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:LdHsfuwxwZ6v1CPwDv3uFteg2EeJUO9E

    Score
    7/10
    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks