General
-
Target
6c2597fdd22234c2e738ca0d8f05be66_JaffaCakes118
-
Size
3.2MB
-
Sample
241022-2dvh6szckk
-
MD5
6c2597fdd22234c2e738ca0d8f05be66
-
SHA1
1d7b0760ff254f2858f14d6effd25de2b9d24d45
-
SHA256
3daa9cf8cbf7cfc41b3167b7906177338a992e00a4441b9ce6f9c2eb81b66ffa
-
SHA512
e5e8a99d071372b428674362e35e809e3baaea2de5a2d3fdda88f814de1200307f38a794214034889bec3183910e1ed08e393d74b5a910f20c30a20c7e093255
-
SSDEEP
24576:QkcetLrKpZRQ5zSLHMLj0G46jlV7cmjl94j9srIq7w0HqOT7IsMCfrXB4h8iaVAz:Q6xKH8siNjTSi7j1DXyh8ij0En
Malware Config
Extracted
bitrat
1.38
favorali.duckdns.org:2331
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
tor_process
tor
Targets
-
-
Target
6c2597fdd22234c2e738ca0d8f05be66_JaffaCakes118
-
Size
3.2MB
-
MD5
6c2597fdd22234c2e738ca0d8f05be66
-
SHA1
1d7b0760ff254f2858f14d6effd25de2b9d24d45
-
SHA256
3daa9cf8cbf7cfc41b3167b7906177338a992e00a4441b9ce6f9c2eb81b66ffa
-
SHA512
e5e8a99d071372b428674362e35e809e3baaea2de5a2d3fdda88f814de1200307f38a794214034889bec3183910e1ed08e393d74b5a910f20c30a20c7e093255
-
SSDEEP
24576:QkcetLrKpZRQ5zSLHMLj0G46jlV7cmjl94j9srIq7w0HqOT7IsMCfrXB4h8iaVAz:Q6xKH8siNjTSi7j1DXyh8ij0En
Score10/10-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-