bitrat | 391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab | Triage

Submit
Reports

Overview

overview

Static

static

7

4b8fd05f24...18.exe

windows7-x64

4b8fd05f24...18.exe

windows10-2004-x64

Sharing

General

Target

4b8fd05f24e7dd6a8c77decf26006818_JaffaCakes118
Size

5.9MB
Sample

240715-1q8e5atdlb
MD5

4b8fd05f24e7dd6a8c77decf26006818
SHA1

756afe0c25d5bed2e17ab459fa86f6d78ed01cc2
SHA256

391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab
SHA512

45c544268e98cdcaa576617e7e6d39132b2836564c43721478b0b79708057b98fa3c67c5c2c95f19eafd12e14c9cba1b4d50442120e27fb7a1f63e2029357c4f
SSDEEP

98304:eVjLh6fL15rloC3QUTb3oaurBOxaY6qZNeyRb+VXukHnq6HOTUkAtnvOkNj++:7DX3QUv7uYIY6qpRbQHH9APAJOqj++

Score

10^/10

bitrat persistence trojan vmprotect

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

4b8fd05f24e7dd6a8c77decf26006818_JaffaCakes118.exe

Resource

win7-20240704-en

bitrat persistence trojan vmprotect

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

4b8fd05f24e7dd6a8c77decf26006818_JaffaCakes118.exe

Resource

win10v2004-20240709-en

bitrat persistence trojan vmprotect

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.32

C2

178.159.39.203:5552

Attributes

communication_password
e48e13207341b6bffb7fb1622282247b
install_dir
driversmgr
install_file
servicemgrdriver.exe
tor_process
tor

Targets

- Target
  
  4b8fd05f24e7dd6a8c77decf26006818_JaffaCakes118
- Size
  
  5.9MB
- MD5
  
  4b8fd05f24e7dd6a8c77decf26006818
- SHA1
  
  756afe0c25d5bed2e17ab459fa86f6d78ed01cc2
- SHA256
  
  391a0926a39689253c6363a4138d05b6160e73032c97c4b9d6ed63ed8d1530ab
- SHA512
  
  45c544268e98cdcaa576617e7e6d39132b2836564c43721478b0b79708057b98fa3c67c5c2c95f19eafd12e14c9cba1b4d50442120e27fb7a1f63e2029357c4f
- SSDEEP
  
  98304:eVjLh6fL15rloC3QUTb3oaurBOxaY6qZNeyRb+VXukHnq6HOTUkAtnvOkNj++:7DX3QUv7uYIY6qpRbQHH9APAJOqj++
Score

10^/10

bitrat persistence trojan vmprotect
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bitratpersistencetrojanvmprotect

behavioral2

bitratpersistencetrojanvmprotect

© 2018-2024

Terms | Privacy