Resubmissions

10-04-2024 11:59

240410-n5sxrsaa2t 10

10-04-2024 11:59

240410-n5sl1aeg92 10

10-04-2024 11:59

240410-n5r1gaeg89 10

10-04-2024 11:59

240410-n5rdyaeg87 10

15-02-2024 02:33

240215-c16ghsfc23 10

General

  • Target

    9cba67b5a3086744c0d4f831079b319b

  • Size

    5.1MB

  • Sample

    240410-n5r1gaeg89

  • MD5

    9cba67b5a3086744c0d4f831079b319b

  • SHA1

    9db9ea7ad37fb54ada8486ce1bb5a4dab489186e

  • SHA256

    28323ee7a1adaee55fe254d8a6fad742294a4e7e0ad89589707da2a1a9e32486

  • SHA512

    57cdd4cc35e8148cfed304cce7af9d43df50acc5fe2ec3a85c72723ba18e6153f16031ced478273292dabd95005da4a145656285e932d85569333f9dc740b649

  • SSDEEP

    98304:NVJppwXSyo8skn3moI25UzSOVRBKrCqflZ+VJscvKgFl8jCP:7pOwu2t26uqRsnf2VXvD6jC

Malware Config

Extracted

Family

bitrat

Version

1.35

C2

4napo6g3cp6av4hmxmwzi5lyojpfk3i2kl2tpssb2wvidqsa3kzo6eyd.onion:80

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    windows32file

Targets

    • Target

      9cba67b5a3086744c0d4f831079b319b

    • Size

      5.1MB

    • MD5

      9cba67b5a3086744c0d4f831079b319b

    • SHA1

      9db9ea7ad37fb54ada8486ce1bb5a4dab489186e

    • SHA256

      28323ee7a1adaee55fe254d8a6fad742294a4e7e0ad89589707da2a1a9e32486

    • SHA512

      57cdd4cc35e8148cfed304cce7af9d43df50acc5fe2ec3a85c72723ba18e6153f16031ced478273292dabd95005da4a145656285e932d85569333f9dc740b649

    • SSDEEP

      98304:NVJppwXSyo8skn3moI25UzSOVRBKrCqflZ+VJscvKgFl8jCP:7pOwu2t26uqRsnf2VXvD6jC

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Modifies WinLogon for persistence

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks