bitrat | b3bdd33dcaf6d7453e5aca839f814ba5754b7b4f5b119890c8f4a16bf149c9ad | Triage

Submit
Reports

Overview

overview

Static

static

1

UpdateClean.js

windows7-x64

UpdateClean.js

windows10-2004-x64

Sharing

General

Target

UpdateClean.js
Size

5KB
Sample

240425-1vdfjsff4x
MD5

d6942e22893e95deea7bbe9d9f9e2a94
SHA1

4d002c2b134d52d0ce8a6715e1ab75b4dd36d4d9
SHA256

b3bdd33dcaf6d7453e5aca839f814ba5754b7b4f5b119890c8f4a16bf149c9ad
SHA512

b1969093839283c68928bd38f8ee0788d85ce71272e18e59316897b223b6d94178464360d7d0e204bd78ea315bfc452607f22a4fbc30686c8439f125124d3b80
SSDEEP

96:rBup4W/ul47KmtSzemZYSBTJABlaxVRo/JR3Ui7RDqG1+qnA++B+k+++8H+e7it5:rBu6W/N+qS1ZjJAixVRo/JR3N7RLr+ru

Score

10^/10

bitrat lumma persistence stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

UpdateClean.js

Resource

win7-20240221-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

UpdateClean.js

Resource

win10v2004-20240226-en

bitrat lumma persistence stealer trojan upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://77.221.151.31/a/z.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://77.221.151.31/a/s.png

Extracted

Family

bitrat

Version

1.38

C2

77.221.151.31:4444

Attributes

communication_password
7b13ff385b95cf25d53088d6b7c5d890
tor_process
tor

Extracted

Family

lumma

C2

https://strollheavengwu.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Targets

- Target
  
  UpdateClean.js
- Size
  
  5KB
- MD5
  
  d6942e22893e95deea7bbe9d9f9e2a94
- SHA1
  
  4d002c2b134d52d0ce8a6715e1ab75b4dd36d4d9
- SHA256
  
  b3bdd33dcaf6d7453e5aca839f814ba5754b7b4f5b119890c8f4a16bf149c9ad
- SHA512
  
  b1969093839283c68928bd38f8ee0788d85ce71272e18e59316897b223b6d94178464360d7d0e204bd78ea315bfc452607f22a4fbc30686c8439f125124d3b80
- SSDEEP
  
  96:rBup4W/ul47KmtSzemZYSBTJABlaxVRo/JR3Ui7RDqG1+qnA++B+k+++8H+e7it5:rBu6W/N+qS1ZjJAixVRo/JR3N7RLr+ru
Score

10^/10

bitrat lumma persistence stealer trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

bitratlummapersistencestealertrojanupx

© 2018-2024

Terms | Privacy