Overview

overview

10

Static

static

10

2d49873798...4c.exe

windows7-x64

10

2d49873798...4c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9b035bad2b8a21fb2c57fd784c89b8d5.zip

  • Size

    4.8MB

  • Sample

    240831-m5p1fazepr

  • MD5

    64a7a6612bccb62bb840263d4cd80f9f

  • SHA1

    73c5c8029db46b5cb44c62258180fd369963f664

  • SHA256

    5bf9dba13b02a3ab17ff66bd3d4c0bffdbb707133d56882ba34f7c135db2323d

  • SHA512

    f3a70dc44d8bd0c8b01c5409204bb68483342203a397583d8fb42e2b5ed614956c075051249f1d2a14bb55fa3d0843e98b38b49404fbc2b69c58b187e992df8a

  • SSDEEP

    98304:shjZ+eiSZ7LA+WzafXhl0FDwYxNA48duC3u4FD72R4FjezWiRoTlG0oH0xU49:shTis0zYhKwQ+TDFD72mE5RoTlOH5i

Score
10/10
bitratdiscoverytrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.32

C2

7ix5nfolcp4ta4mk2dtihev73rw7d2edpbd5tp7sf7zgmpv66fpxnwqd.onion:80

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    dllhost

Targets

    • Target

      2d49873798ab5ee10992f377ebb27ee940b1f354b9ec4ebebe687177ea2b214c

    • Size

      7.6MB

    • MD5

      9b035bad2b8a21fb2c57fd784c89b8d5

    • SHA1

      ee15fad65f3f22df7f54e218176c45d369ebb70f

    • SHA256

      2d49873798ab5ee10992f377ebb27ee940b1f354b9ec4ebebe687177ea2b214c

    • SHA512

      96c0189aba67db2f1c38affa5ac44665566ea17e20e5f749aef771739c81beb96bbcac8ea35aad80cffc9d492e23fcbaefbf03f72011d9bd1ccac36182466dde

    • SSDEEP

      196608:imEljesxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQUDxtw3iFFrS6XOfTV73cP:balxwZ6v1CPwDv3uFteg2EeJUO9WLjD/

    Score
    10/10
    bitratdiscoverytrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • BitRAT payload

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks