bitrat

General

Target

http://Scan vps
Sample

240721-jtg9nsyckq

Score

10^/10

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

158.58.168.61:1337

Attributes

communication_password
2fdbb4b27758a54f27d8f8cbb485787b
install_dir
system32
install_file
Windows Update.exe
tor_process
tor

Targets

- Target
  
  http://Scan vps
Score

10^/10

bitrat neshta discovery evasion persistence spyware stealer trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Detect Neshta payload
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Contacts a large (10300) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Drops file in Drivers directory
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1