bitrat

Resubmissions

07-05-2024 12:28

240507-pnhadaac95 10

07-05-2024 12:28

07-05-2024 12:28

07-05-2024 12:28

07-05-2024 12:28

25-04-2024 13:10

Sharing

Copy URL

Twitter E-mail

General

Target

a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
Size

7.8MB
Sample

240507-pnd8qaff8s
MD5

feb61ffde2dd829e738ea35dc8ee6208
SHA1

659e17fe8390c0494e1363c2ebd11333638fd56e
SHA256

a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
SHA512

609d2a7950643bea16e353d73157429f304cd1807808becb6fd2c5bbeeb07c6583a98f0e76b7e051390771502cabc7bbda4360f53388867ab863c6f564fbd959
SSDEEP

196608:oIRcbH4jSteTGv1xwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:odHsfu1xwZ6v1CPwDv3uFteg2EeJUO9E

Score

10^/10

Malware Config

Extracted

Family

bitrat

Version

1.38

n7dua2r7ev3r6fsisszycs7fvy4a36epnfje5s7lz5eiduoxetqg55ad.onion:1235

Attributes

communication_password
99754106633f94d350db34d548d6091a
install_dir
temp
install_file
test1
tor_process
test2

Targets

- Target
  
  a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
- Size
  
  7.8MB
- MD5
  
  feb61ffde2dd829e738ea35dc8ee6208
- SHA1
  
  659e17fe8390c0494e1363c2ebd11333638fd56e
- SHA256
  
  a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
- SHA512
  
  609d2a7950643bea16e353d73157429f304cd1807808becb6fd2c5bbeeb07c6583a98f0e76b7e051390771502cabc7bbda4360f53388867ab863c6f564fbd959
- SSDEEP
  
  196608:oIRcbH4jSteTGv1xwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:odHsfu1xwZ6v1CPwDv3uFteg2EeJUO9E
Score

10^/10

bitrat persistence trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Unexpected DNS network traffic destination

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5