bitrat

Sharing

Copy URL

Twitter E-mail

General

Target

FalconV1.7.rar
Size

13.0MB
Sample

240831-wqhggsxfle
MD5

ced1063699129fd8def3d82c5eff54eb
SHA1

52a9ebcba9525d19bb7de4eca92cd3e597fe82c2
SHA256

8c91dbc3e4dbb2931374d7ce7604d747eaa75466229f9e56d9854150a4b284f1
SHA512

609fedbb7bffb70e3b266532d45d586bfb1078cc3751870d30bc927c242352b098ca99aac473123e0b6ae9f8667471cf5aca9c4c071a090764e690de9669081e
SSDEEP

196608:GuSkkM2+cEFI3u2GdURW+DFohvAEk3uyE0NqvhNeLwKkngMiWkSVh0hmLa91nMt:GuSkYEFEusoOV+yE0NqvzJgMHwmd

Score

10^/10

Malware Config

Extracted

Family

bitrat

Version

1.38

23.105.131.195:49645

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Targets

- Target
  
  FalconV1.7/Chrome Hook Function/CefSharp.BrowserSubprocess.Core.dll
- Size
  
  912KB
- MD5
  
  67e9fdff12286ad0ff11aa7e8a7775d9
- SHA1
  
  245ec015e953bb395cf5d1e4f54804166daeaf68
- SHA256
  
  b184f42ad13993a963700ad40400d401e398a46f72056f5907b6acdff986c63d
- SHA512
  
  42c068e0b157fa5bd9ec9be977c1ec44712fc78909efb64961dc1e34d6c7fccc7af6bb685e847f32da9fe9124a215ad3adea08317279851c8ffd2761a3b47870
- SSDEEP
  
  24576:uVK+vDCBGb9UKpUzXoiYehQspQ8SdWHubiWyzIrQK0OXPOlNce+pi:RcUKpUzXoiYehQspQ8SdWHubiWyzIrQO
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  FalconV1.7/Chrome Hook Function/CefSharp.Core.dll
- Size
  
  1.3MB
- MD5
  
  a44554d38b7a25a7ab2320fe731c5298
- SHA1
  
  c287a88fd3a064b387888f4bbc37a0630c877253
- SHA256
  
  35980974bdba6d5dd6a4dc1072e33aab77f72f56c46779cb0216e4801dcc36ab
- SHA512
  
  bd8956b7e8ca6d1129fbbb950dd913183b3e92601c2c900aed26d695782e4663654ac57074e1f0f2efcf9cced969487162910dc9bb52b42572d61994b07f2aad
- SSDEEP
  
  24576:yXIdphyvfDVKyFnp89jCbBNr0s7HQAqcwYhPolDexla9e6dhkOi0nK+++evP4ZcC:HsJKyzNr0s7HQAqcwYhPolDexla9e6dp
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  FalconV1.7/Chrome Hook Function/CefSharp.Wpf.dll
- Size
  
  83KB
- MD5
  
  1533d9b2ed991ad4fecef548dc762565
- SHA1
  
  7a0664cc6bdc5ffd23c4aba43fa7b2acdfe949f4
- SHA256
  
  8e6e874d51f654c1c081cd1658a2e4ad8e3b92e74f9406e8c4eb34d354ab8791
- SHA512
  
  710677d3c6ebff9da638d22a3ae800eb12ba947aad9acb4e42f9e9268ade1b8dde680b4aa135121851285943aecc0fc9be85c5ca8a269d6857b35e905c7b7c12
- SSDEEP
  
  1536:VdX1kcRoMy1tkZBjxQVhfcmzedNTppNCSyh1FPmyGx8Nge8Fu/mGmDtcOd:VdFLoMk24ClwNge8FPGMf
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  FalconV1.7/Chrome Hook Function/CefSharp.dll
- Size
  
  219KB
- MD5
  
  92defcf3ee31db03999e8ea41742f8f8
- SHA1
  
  2d5a94c029e1ac0df07a2055f03ca3d77ceb76b6
- SHA256
  
  d3873ec8cf9a80b3b5691445cd0f6d2a38f5a2432864d7fa372b751bad54e891
- SHA512
  
  d58f4c6bf526ed5e19bbb9c36db8fa192c63eb770b8bb5cebef0e1baf69d35ec3e1367062b9d2af9aa654d97e9cdcecca9c12bc73d9097c38a9c7e6dc11f103a
- SSDEEP
  
  3072:dLU+ln+doWgHRVIceekE8Nb3+hwx6vOc5jOpP6AOSrzHnZpy:Rh+dYI4dwx6Oc5MPPpH
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  FalconV1.7/Chrome Hook Function/cef_100_percent.pak
- Size
  
  639KB
- MD5
  
  f9584dcc12af247be531f348c856f65a
- SHA1
  
  6c78561f7641a0a68a3a668e45a4d72962ffd878
- SHA256
  
  5d1dc0f08500369842b83750a07d3dd0230b3246c492784b5cb26cba2c4a40d4
- SHA512
  
  55f611be62ca6e2cf9736bd8b68d0a0c7a5468d650e96863bd3322e7d5e845887313b8e45125d9e1a9608a455726fc769f01049d47e983a5aeebc910555e79d7
- SSDEEP
  
  6144:1wAiHcSjalRrd0E6mdXR31wLzwVyT5TNhx5c1YC7x10fSucY7OP2ITQ:1wA2h5Tbgf1d/dQ
Score

3^/10

execution
behavioral10 behavioral9
- Target
  
  FalconV1.7/Chrome Hook Function/cef_200_percent.pak
- Size
  
  790KB
- MD5
  
  498133d9ffbdee7d8996cbd4cbd944da
- SHA1
  
  eb26f9e98509931e22c18c2a469a698bfef0b5fd
- SHA256
  
  b362be1e8853b97afb22d6611b6c480127ef7a478c79d8ef7b3cbc070e4abaab
- SHA512
  
  a2ccd21ce6302f7552f31217aeebd6a7399eac9829d0240346bc0512bad940a2f04108fccb821e13c43b18f6f0a665d3bda25da6099b899d699b60082074ddf2
- SSDEEP
  
  6144:nAiHcSjalRrd0E6mdXR31wZDQYaR+9bGHgs4jTl+TNNz73QYV85u/oFYvwoytKiM:nA22fIegs4jTITDg5u/oFFpxLlFYb
Score

3^/10

execution
behavioral11 behavioral12
- Target
  
  FalconV1.7/Chrome Hook Function/cef_extensions.pak
- Size
  
  1.7MB
- MD5
  
  79213c18bddffae6044263d883464200
- SHA1
  
  711ed6d95e1de97eda384aab9b9b102d7718641e
- SHA256
  
  858eceabe965e0dbe74b12d4403b9ad0fb1e23248bb2b0250f8d42e6229f7bb4
- SHA512
  
  6a172b56213926c6dc18afcb1d10c8e4d09e8a16cb7209bf0e3cd7f17b25992d0ef17ebb070ea14a684d37e00993b7db79dfddd8500433e99812c2e94f2fe6d7
- SSDEEP
  
  49152:Cecrl/5VsBDeI6OG1hdAKeGJIJzIe77HgryM726Y:gT1h8GItFgGMy6Y
Score

3^/10

execution
behavioral13 behavioral14
- Target
  
  FalconV1.7/Chrome Hook Function/chrome_elf.dll
- Size
  
  788KB
- MD5
  
  6499ea6b92ab4971886bd06c12625819
- SHA1
  
  5ebb75eeca7625b9511233158a02f50a92867a39
- SHA256
  
  6820f276c0d71557a0c7b997fd2f4a3ac6a45c86454c4dc3bcfa29843b5c470b
- SHA512
  
  e57703730e42eb9d80e762337e08176705b349f54fbd429edc657d44c9dc3a1f9ccfa594bc3ef622798aebb5bc69b225abb266b00f9b350ae59f734c2f31f63d
- SSDEEP
  
  12288:bCr6Tisy+fUv6cwQhl0j+iBQIR+ybWlkkswiS1cVlqoKe9+nIMQbNt:Wr6Tisy+fUv6cwQhlcbWFi8iDjD
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  FalconV1.7/Chrome Hook Function/d3dcompiler_47.dll
- Size
  
  3.5MB
- MD5
  
  587a415cd5ac2069813adef5f7685021
- SHA1
  
  ca0e2fe1922b3cdc9e96e636a73e5c85a838e863
- SHA256
  
  2ad0d4987fc4624566b190e747c9d95038443956ed816abfd1e2d389b5ec0851
- SHA512
  
  0fa0e89ea1c1cb27ac7f621feb484438e378a8f5675eca7a91f24e0569174bd848d470d6b3e237fe6ab27ca1eb1ecc09b5f044e53a6d98bf908e77ac511183e2
- SSDEEP
  
  49152:zjmJAksRXmBNgC9ITPPE8WHmy0HRZ+kyOzDJn5c5v5H3pqC23u6q+25omPEyXzjS:zy2Ckrj+kyOv2MJ+6q8kbqS/AF
Score

3^/10

discovery
behavioral17
- Target
  
  FalconV1.7/Falcon.exe
- Size
  
  2.1MB
- MD5
  
  005e76ae2d3af2cc2a001745d5e0afd9
- SHA1
  
  fa117b48f316b38db20887ba9b0138a07d686064
- SHA256
  
  a427b998ac966b5f8a4ec510205b075cfe7eaa102ac1d9e1ac0182a54cb33d2c
- SHA512
  
  2e5bb3e7d95230c012014184bb29ddbd56328fc8d63738ebf50923d5e86461d2f2511c32ca930d23eeec81b4a0d4ad54a4be0c782dfe01904a276a74636a1e8b
- SSDEEP
  
  49152:ftBEvg4rSx4YYKOvp+QoqkxR/NPmmRFyxGFrEN0FN63lSY:fQvg4G6YDxQoqkxBNPXmUylD
Score

10^/10

discovery execution persistence bitrat trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral18 behavioral19
- Target
  
  FalconV1.7/SXL/sxlib.dll
- Size
  
  867KB
- MD5
  
  2643161dfcf2a81b82d43fafe6b15850
- SHA1
  
  8c32c26ecc539851a1c8284ab956a8ad9ac28f57
- SHA256
  
  e556d7f17cbc5f0f84578aced2272b80b962b6c21a3bb4b67539b5d6f4e9c30e
- SHA512
  
  2fde70c06fe6612d72383469e366ebad7c4c7e23457edf485b2dfd43a832f165205a73f4239312c6a1717a3b603ba9be1e8a6636ed90079e6051273e111e6811
- SSDEEP
  
  12288:mt6Z4yZEn16UZSrfeXbd778MM74Jh1uC+A3XvaoI0VHLK29uxyMNnrf4BtTdjqAU:/W1lZSrEb6RMJhcS3BI05m29uV52wT
Score

3^/10

discovery
behavioral20 behavioral21
- Target
  
  FalconV1.7/redis/D3DCompiler_43.dll
- Size
  
  2.0MB
- MD5
  
  1c9b45e87528b8bb8cfa884ea0099a85
- SHA1
  
  98be17e1d324790a5b206e1ea1cc4e64fbe21240
- SHA256
  
  2f23182ec6f4889397ac4bf03d62536136c5bdba825c7d2c4ef08c827f3a8a1c
- SHA512
  
  b76d780810e8617b80331b4ad56e9c753652af2e55b66795f7a7d67d6afcec5ef00d120d9b2c64126309076d8169239a721ae8b34784b639b3a3e2bf50d6ee34
- SSDEEP
  
  49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
Score

3^/10

discovery
behavioral22 behavioral23
- Target
  
  FalconV1.7/redis/xinput1_3.dll
- Size
  
  79KB
- MD5
  
  77f595dee5ffacea72b135b1fce1312e
- SHA1
  
  d2a710b332de3ef7a576e0aed27b0ae66892b7e9
- SHA256
  
  8d540d484ea41e374fd0107d55d253f87ded4ce780d515d8fd59bbe8c98970a7
- SHA512
  
  a8683050d7758c248052c11ac6a46c9a0b3b3773902cca478c1961b6d9d2d57c75a8c925ba5af4499989c0f44b34eaf57abafafa26506c31e5e4769fb3439746
- SSDEEP
  
  1536:TVeqvNS6T6jxeEsU6b0xZtDDVb9X8u9JA7zitdrz/R8cy/FaeBD:TVeqvNOeFgxZ9DVVtRBy/EeD
Score

3^/10

discovery
behavioral24 behavioral25
- Target
  
  FalconV1.7/vs/language/css/cssMode.js
- Size
  
  21KB
- MD5
  
  40a99739f89d382c92eb26f05a9a4497
- SHA1
  
  30e6c52658f49bf5c6103a95d1c3ed50d71b02f2
- SHA256
  
  d3108af9ffcdad3133345686646cafe3b628ad6b25a3758786b2aa7b7b51809d
- SHA512
  
  9011557bc41865dc6b44495174ea2f27c700e95dabdaa67d8bdd4b798a367a29cea91def2171c5176160f5791d7bfcc2cd65b58db4ded721ed2868e4198049e7
- SSDEEP
  
  384:h1kwG9aih9phed6ZwRVwCs8fTxUfyP0sYrkoJWMGIk8:aQih9pwd6KsuTxUfyFikkWMGC
Score

3^/10

execution
behavioral26 behavioral27
- Target
  
  FalconV1.7/vs/language/css/cssWorker.js
- Size
  
  489KB
- MD5
  
  152244e2ab4f663141e9466a8282ebe8
- SHA1
  
  e9c0e86fbc108600d3e42a6654c5de073607ddce
- SHA256
  
  288bb68a2c685957b5dc3e5353b1a03dc482b10858059063b99c1549d5fef01c
- SHA512
  
  112039647883a1cdb6a860ce1d2980562222b593508da1ea8c9838b7184e76f72de9eb68d2727ce12c78e3c0be7e85101591df6ebde1e73dcf8c2495c8454855
- SSDEEP
  
  6144:PhKjqIze+tAxt+A7zOM1L0G52ppgGDcoFGPL2gXwiOcFt+oiEipHxJKnVZPUsf:IqkA7zO/pUIPsf
Score

3^/10

execution
behavioral28 behavioral29
- Target
  
  FalconV1.7/vs/language/html/htmlMode.js
- Size
  
  18KB
- MD5
  
  c944ad9527d22b6ca6c0d54fd0723296
- SHA1
  
  ddfb323ded66de709fa8b05abe0ada931ac9dd43
- SHA256
  
  80d6f099563af129b4deff66f7b9d4dfb27ad0058dcb5b77d927e460022dafee
- SHA512
  
  3a6abb3a15401d28e4926ac008f991b7a19b359c8420d7e5bb6804061b6f82a2bedfb86823862e1ccfbc046e896cb1a5759199f7e723fd7b1b5e6aeb19f92f58
- SSDEEP
  
  192:hA6ZF2Cw7DrFcelxzEKfxmflhyLpYvws8edvt9vKVwZVtDFzp6RMSyotuK1sD5Sv:hJw7DTfAlhCpvedmw+MS+KOD5Sc7Pzo
Score

3^/10

execution
behavioral30 behavioral31
- Target
  
  FalconV1.7/vs/language/html/htmlWorker.js
- Size
  
  154KB
- MD5
  
  3f5802a91a29e4504d5cd2f10ac280b8
- SHA1
  
  368d01e59eaf25f164ab1d80b7f5d74b625b242d
- SHA256
  
  e80444d8fa519ff86e5c696a40843bc8392b2d3afb83118a2dd92da5497c9212
- SHA512
  
  2f3670227710c291e5e9136b2cac5c70421c2537b86219fe17ed33161136a08f5cb2069822b16a58ce377b6d1a265cf33215a1695bda5a701bae566410ce33e7
- SSDEEP
  
  3072:wNxSv2ym9FNq9m8iktJFu/TgHdcyDnLEOhUm3xSvp:wNxSv2ym9FNimBmFu/TgHdcgnLEOhUmE
Score

3^/10

execution
behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32