Resubmissions

12-04-2024 13:18

240412-qj2nwsdg6z 10

12-04-2024 13:18

240412-qj13csdg6y 10

12-04-2024 13:18

240412-qj1rladg6x 10

12-04-2024 13:18

240412-qjz53aag26 10

12-04-2024 13:18

240412-qjzvasag25 10

09-04-2024 03:59

240409-ekaq1sea34 10

09-04-2024 03:58

240409-ej1aaadh98 10

09-04-2024 03:58

240409-ejnw9adh85 10

09-04-2024 03:55

240409-eg8tmshd41 10

17-02-2024 23:58

240217-31gfhacd52 10

General

  • Target

    stub_tor.exe

  • Size

    7.8MB

  • Sample

    240412-qj1rladg6x

  • MD5

    c76390d9e1052d9e708940d67b5c135d

  • SHA1

    a370a73a9dd746584428e8a939288ecffd3c80f7

  • SHA256

    caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f

  • SHA512

    4d2d38d8719cdac8a406cfa96944ee99d2d926511e64d6b6aa964d40d0d9ddb1dc6e4e6253bcb1e77b32613c0b4409ab32ea54c476018fee963574edb043dd3b

  • SSDEEP

    196608:oIRcbH4jSteTGvExwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:odHsfuExwZ6v1CPwDv3uFteg2EeJUO9E

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

7sbl4dpbubwjjghdquwg47fyq7rookd4bgm2ypm2kjzkivd7tomvczqd.onion:440

Attributes
  • communication_password

    4124bc0a9335c27f086f24ba207a4912

  • install_dir

    Minecraft

  • install_file

    Runtime_Broker

  • tor_process

    tor

Targets

    • Target

      stub_tor.exe

    • Size

      7.8MB

    • MD5

      c76390d9e1052d9e708940d67b5c135d

    • SHA1

      a370a73a9dd746584428e8a939288ecffd3c80f7

    • SHA256

      caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f

    • SHA512

      4d2d38d8719cdac8a406cfa96944ee99d2d926511e64d6b6aa964d40d0d9ddb1dc6e4e6253bcb1e77b32613c0b4409ab32ea54c476018fee963574edb043dd3b

    • SSDEEP

      196608:oIRcbH4jSteTGvExwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:odHsfuExwZ6v1CPwDv3uFteg2EeJUO9E

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks