Resubmissions

11-04-2024 07:23

240411-h79qeaee77 10

11-04-2024 07:22

240411-h7ha6aee65 10

11-04-2024 07:22

240411-h7g1dshf5x 10

11-04-2024 07:22

240411-h7gdvsee63 10

11-04-2024 07:22

240411-h7fsbshf5w 10

07-04-2024 08:58

240407-kxh6tahg75 10

07-04-2024 07:55

240407-jr6jgsgd3z 10

07-04-2024 07:54

240407-jrz2psgh28 10

07-04-2024 07:54

240407-jrvf8agd3w 10

07-04-2024 07:51

240407-jqb89agg76 10

General

  • Target

    6ec74da2134bd56250ca32be04b9b697

  • Size

    7.8MB

  • Sample

    240411-h7gdvsee63

  • MD5

    6ec74da2134bd56250ca32be04b9b697

  • SHA1

    d20ff3ed5ff0f49b10d6c06dbc5710fb910e2e28

  • SHA256

    1ab1a15e1e4a19c7d77a01f00de5d401bc7ab0ffaa33c332788aadeeedddc386

  • SHA512

    d4d71707f0d8e5d7473980ddebea9fe7764dd38cc3cb51e789336869f28425d5d42aa229cdaac08ba22bebdabf108bfeb8c5f30452f9fd2787275c2863e3fea2

  • SSDEEP

    196608:6CRAktw/6k1Juxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOfTVI:VRAktqJuxwZ6v1CPwDv3uFteg2EeJUOf

Malware Config

Extracted

Family

bitrat

Version

1.33

C2

bkc56e3jgy5zlfq7ialxyppztuh4dgranlyauupid4uc2ze5hg2cshqd.onion:80

Attributes
  • communication_password

    a0439c943ecd02cca78474e6b334f67e

  • install_dir

    Java_update

  • install_file

    java_update.exe

  • tor_process

    adobe

Targets

    • Target

      6ec74da2134bd56250ca32be04b9b697

    • Size

      7.8MB

    • MD5

      6ec74da2134bd56250ca32be04b9b697

    • SHA1

      d20ff3ed5ff0f49b10d6c06dbc5710fb910e2e28

    • SHA256

      1ab1a15e1e4a19c7d77a01f00de5d401bc7ab0ffaa33c332788aadeeedddc386

    • SHA512

      d4d71707f0d8e5d7473980ddebea9fe7764dd38cc3cb51e789336869f28425d5d42aa229cdaac08ba22bebdabf108bfeb8c5f30452f9fd2787275c2863e3fea2

    • SSDEEP

      196608:6CRAktw/6k1Juxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOfTVI:VRAktqJuxwZ6v1CPwDv3uFteg2EeJUOf

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks