Resubmissions

17-04-2024 14:54

240417-r96wzada86 10

17-04-2024 14:54

240417-r95znsee4v 10

17-04-2024 14:54

240417-r943dada82 10

17-04-2024 14:54

240417-r9353sda77 10

17-04-2024 14:54

240417-r93jjsee3x 10

15-04-2024 13:19

240415-qkln3afc75 10

10-04-2024 12:02

240410-n7v5xaeh49 10

10-04-2024 12:02

240410-n7vjdaaa8t 10

General

  • Target

    75bff99becc32bcbe56efbe7a75f4d45

  • Size

    7.0MB

  • Sample

    240410-n7s1jsaa7z

  • MD5

    75bff99becc32bcbe56efbe7a75f4d45

  • SHA1

    81bfcc77809161a5254a27d3d4d30548c96fcd5b

  • SHA256

    8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2

  • SHA512

    940af628585713a16e685eb5251c0b954bc014460cd4ca33226df2ef260f32af56223eaf1c341862fdf1669c6bafb6e7d9c5efbeb5e437ce5e2fd9905beece69

  • SSDEEP

    49152:uW/1GYdVTXN3r3+LXDIDAKpvuh3jwLN6/VNUKIdI9OiKuDbD2yvAkdm5wrgWX+5z:hXkZL/p

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

obqdy2u226qjiavs42z4z6zgcf6tefsoxaqzjvohmoy7kafdwgqgjkqd.onion:80

Attributes
  • communication_password

    d93b4f1ee6f5b875a4f7fcef966bd09a

  • tor_process

    WinSock

Targets

    • Target

      75bff99becc32bcbe56efbe7a75f4d45

    • Size

      7.0MB

    • MD5

      75bff99becc32bcbe56efbe7a75f4d45

    • SHA1

      81bfcc77809161a5254a27d3d4d30548c96fcd5b

    • SHA256

      8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2

    • SHA512

      940af628585713a16e685eb5251c0b954bc014460cd4ca33226df2ef260f32af56223eaf1c341862fdf1669c6bafb6e7d9c5efbeb5e437ce5e2fd9905beece69

    • SSDEEP

      49152:uW/1GYdVTXN3r3+LXDIDAKpvuh3jwLN6/VNUKIdI9OiKuDbD2yvAkdm5wrgWX+5z:hXkZL/p

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Detect ZGRat V1

    • Modifies WinLogon for persistence

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks