bitrat

Sharing

General

Target

RNSM00409.7z
Size

21.9MB
Sample

241028-ye23vstlds
MD5

2b3532d723da17993253cf1177d60353
SHA1

c3ba17fa6e7cba1d56b249d0172939a88479970f
SHA256

e9dcab6c8daf2d1e5e3bfb114abb6a712e3d88434f61e9e8a2e1fda67b12e0e6
SHA512

38b4d7ab086eba672aa5b562d669c345f20b5977c04440b306e34d6faac634409015ead030e74cc72fff612edb10bbba9b1b5d48cdd5b089a63a0d3242e65512
SSDEEP

393216:wtn7WUHzs1g6LuXtFVRCPbMzyBSUPNUz5udv8nH9jjiieVPSR7UMdka2G18hyHA9:qfkKnmPlXw5av8nH9q4YSka2XhyH8

Score

10^/10

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

fantomazzz.ddns.net:1604

Mutex

DC_MUTEX-WB00FV3

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
058yy4Fpjp6w
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Path

C:\ProgramData\Microsoft\AppV\Setup\YOUR_FILES_ARE_ENCRYPTED.HTML

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 3rem !important; } #text h2 { color: white; font-size: 2rem; font-weight: 600; line-height: 1.125; } .tabs { -webkit-overflow-scrolling: touch; align-items: stretch; display: flex; font-size: 1rem; justify-content: space-between; overflow: hidden; overflow-x: hidden; overflow-x: auto; white-space: nowrap; } .tabs ul { align-items: center; border-bottom-color: #454545; border-bottom-style: solid; border-bottom-width: 1px; display: flex; flex-grow: 1; flex-shrink: 0; justify-content: flex-start; } .tabs.is-toggle ul { border-bottom: none; } .tabs li { position: relative; } .tabs li { display: block; } .tabs.is-toggle li.is-active a { background-color: white; border-color: white; color: rgba(0, 0, 0, 0.7); z-index: 1; } .tabs.is-toggle li:first-child a { border-top-left-radius: 3px; border-bottom-left-radius: 3px; } .tabs li.is-active a { border-bottom-color: white; color: white; } .tabs.is-toggle a { border-color: #454545; border-style: solid; border-width: 1px; margin-bottom: 0; position: relative; } .tabs a { align-items: center; border-bottom-color: #454545; border-bottom-style: solid; border-bottom-width: 1px; color: white; display: flex; justify-content: center; margin-bottom: -1px; padding: 0.5em 1em; vertical-align: top; cursor: pointer; } .tabs.is-toggle li:last-child a { border-top-right-radius: 3px; border-bottom-right-radius: 3px; } .container { max-width: 1152px; max-width: ; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; color: white; display: block; padding: 1.25rem; border: 1px solid #303030; } blockquote { background: hsl(0, 0%, 20%); padding: 1rem; border-left: 3px solid #55a630; } a { color: #e55934; } </style> <script> let text = { en: `<h2> Whats Happen? </h2> We got your documents and files encrypted and you cannot access them. To make sure we�re not bluffing just check out your files. Want to recover them? Just do what we instruct you to. If you fail to follow our recommendations, you will never see your files again. During each attack, we copy valuable commercial data. If the user doesn’t pay to us, we will either send those data to rivals, or publish them. GDPR. Don’t want to pay to us, pay 10x more to the government. <h2> What Guarantees? </h2> We’re doing our own business and never care about what you do. All we need is to earn. Should we be unfair guys, no one would work with us. So if you drop our offer we won’t take any offense but you’ll lose all of your data and files. How much time would it take to recover losses? You only may guess. <h2> How do I access the website? </h2> <ul> <li><a href="https://torproject.org" target="_blank">Get TOR browser here</a></li> <li><a href="http://ebwexiymbsib4rmw.onion/chat.html?02bdb236e7-6243203978-aef6ef431d-f25834f73f-4a573293c4-c84bf12d55-3e19654a6b-2ce4bfa30c">Go to our website</a></li> </ul>`, de: `<h2> Was ist gerade passiert? </h2> Wir haben Ihre Dokumente und Dateien verschlüsselt und Sie können nicht mehr darauf zugreifen. Jeder Angriff wird von einer Kopie der kommerziellen Informationen begleitet. Um sicherzustellen, dass wir es ernst meinen, prüfen Sie einfach Ihre Dateien und Sie werden sehen. Möchten Sie sie wiederherstellen? Halten Sie sich einfach an unsere Anweisungen, um uns zu bezahlen. Tuen Sie dies nicht, werden Sie Ihre Dateien niemals wiedersehen. Im Falle einer Zahlungsverweigerung werden die Daten entweder an Wettbewerber verkauft oder in offenen Quellen bereitgestellt. GDPR. Wenn Sie uns nicht bezahlen möchten, zahlen Sie das Zehnfache an der Regierung. <h2> Wie sollten Sie uns trauen ? </h2> Wir machen unsere eigenen Geschäfte und kümmern uns nicht darum was Sie tunen. Wir müssen nur verdienen. Sollten wir einfach nur bluffen, würde niemand an uns zahlen. Wenn Sie unser Angebot ablehnen, werden Sie alle Ihre Daten für immer verlieren. Wie viel Zeit werden Sie brauchen um ihre Daten selber zu ersetzen ? Sie können es sich schon denken. <h2> Unsere Forderungen </h2> <ul> <li><a href="https://torproject.org" target="_blank">Holen Sie sich den TOR-Browser hier</a></li> <li><a href="http://ebwexiymbsib4rmw.onion/chat.html?02bdb236e7-6243203978-aef6ef431d-f25834f73f-4a573293c4-c84bf12d55-3e19654a6b-2ce4bfa30c">Gehen Sie auf unsere Website</a></li> </ul>`, fr: `<h2> Qu'est-ce qui vient de se passer? </h2> Nous avons crypté vos documents et fichiers et vous ne pouvez pas y accéder. Chaque attaque est accompagnée d'une copie des informations commerciales. Pour vous assurer que nous ne bluffons pas. Voulez-vous les restaurer? Faites juste ce que nous vous demandons, pour nous payer. Si vous ne suivez pas nos recommandations, vous ne verrez plus jamais vos fichiers. En cas de refus de paiement - les données seront soit revendues à des concurrents, soit diffusées dans des sources ouvertes. GDPR. Si vous ne voulez pas nous payer, payez x10 fois le gouvernement. <h2> Qu'en est-il des garanties? </h2> Nous faisons nos propres affaires et ne nous soucions jamais de ce que vous faites. Tout ce dont nous avons besoin est de gagner de l'argent. Si nous devions être injustes, personne ne travaillerait avec nous. Donc, si vous abandonnez notre offre, nous ne prendrons aucune infraction, mais vous perdrez toutes vos données et vos fichiers. Combien de temps faudrait-il pour récupérer les pertes? Vous pouvez seulement deviner. <h2> Comment puis-je accéder au site web? </h2> <ul> <li><a href="https://torproject.org" target="_blank">Téléchargez le navigateur TOR ici</a></li> <li><a href="http://ebwexiymbsib4rmw.onion/chat.html?02bdb236e7-6243203978-aef6ef431d-f25834f73f-4a573293c4-c84bf12d55-3e19654a6b-2ce4bfa30c">Allez sur notre site web</a></li> </ul>`, es: `<h2> ¿Lo que de pasar? </h2> Ya tenemos sus documentos y archivos encriptados y usted no puede acceder a ellos. Para asegurarse de que no estamos faroleando. ¿Quiere recuperarlos? Sólo haga lo que le indicamos. Si usted no sigue nuestras recomendaciones, usted nunca verá sus archivos. Durante cada ataque, copiamos los datos comerciales valiosos. Si el usuario no nos paga, enviaremos estos datos a sus rivales o los publicaremos. GDPR. No quiere pagarnos, paga 10 veces más al gobierno. <h2> ¿Qué pasa con las garantías? </h2> Estamos haciendo nuestro propio negocio y nunca nos importa lo que hace usted. Todo lo que necesitamos es ganar. Hay que ser injustos chicos, nadie trabajaría con nosotros. Entonces, si deja caer nuestras propuestas, no nos ofenderemos pero usted perderá todos sus datos y archivos. ¿Cuánto tiempo se requiere para recuperar las pérdidas? Sólo usted puede adivinar. <h2> ¿Cómo acceder al sitio web? </h2> <ul> <li><a href="https://torproject.org" target="_blank">Obtenga el navegador TOR aquí</a></li> <li><a href="http://ebwexiymbsib4rmw.onion/chat.html?02bdb236e7-6243203978-aef6ef431d-f25834f73f-4a573293c4-c84bf12d55-3e19654a6b-2ce4bfa30c">Vaya a nuestro sitio web</a></li> </ul>`, jp: `<h2> 何があったのですか？ </h2> ドキュメントとファイルを暗号化しました。それらにアクセスすることはできません。ブラフしないようにするには、ファイルをチェックアウトして、すべてが。それらを回復したいですか？ただやる指示すること。指示に従わない場合、ファイルは二度と表示されません。各攻撃中に、貴重な商用データをコピーします。ユーザーが当社に支払わない場合は、それらのデータをライバルに送信するか、公開します。 <h2> 何が保証されますか ? </h2> 私たちは私たち自身のビジネスを行っており、あなたが何をするかを気にしません。必要なのは稼ぐことだけです。私たちが不公平な人である場合、誰も私たちと一緒に働くことはありません。ですから、あなたが私たちの申し出をやめても、私たちは何の罪も犯しませんすべてのデータとファイルが失われます。損失を回復するのにどれくらい時間がかかりますか？推測するだけです。 <h2> Webサイトにアクセスするにはどうすればよいですか？ </h2> <ul> <li><a href=" https://torproject.org " target="_blank">ここで TORブラウザを入手 </a></li> <li><a href="http://ebwexiymbsib4rmw.onion/chat.html?02bdb236e7-6243203978-aef6ef431d-f25834f73f-4a573293c4-c84bf12d55-3e19654a6b-2ce4bfa30c">当社のウェブサイトにアクセス </a></li> </ul>` }; function sel_lang(event) { let active = document.getElementsByClassName('is-active')[0]; active.classList.remove('is-active'); event.target.parentElement.classList.add('is-active'); let lang = event.target.getAttribute('data-lang'); let el = document.getElementById('text'); el.innerHTML = text[lang]; } document.addEventListener("DOMContentLoaded", ()=>{ let el = document.getElementById('text'); el.innerHTML = text['en']; }); </script> </head> <body class='pt-6'> <div class='container'> <div class="tabs is-toggle"> <ul> <li class="is-active"><a onclick='sel_lang(event);' data-lang='en'>EN</a></li> <li class=""><a onclick='sel_lang(event);' data-lang='de'>DE</a></li> <li class=""><a onclick='sel_lang(event);' data-lang='fr'>FR</a></li> <li class=""><a onclick='sel_lang(event);' data-lang='es'>ES</a></li> <li class=""><a onclick='sel_lang(event);' data-lang='jp'>JP</a></li> </ul> </div> <div class='box'> <div id='text'></div> <div style='border: 1px solid red; padding: .5rem; font-size: 1.3rem; font-weight: 500; margin: 3rem 0;'> <div class='title is-4'> In case you decide not to cooperate, your private data will be published <a style='color: #46a049; text-decoration: underline;' target='_blank' href='http://nbzzb6sa6xuura2z.onion/'>here</a> or sold. </div> </div> <div style='margin-top: 2rem;'> <h2>Offline how-to</h2> <p>Copy & Paste this secret message to <a href="http://ebwexiymbsib4rmw.onion">this page</a> textarea field</p> <p><blockquote>31780cb47bbd5dddd3589b95721d116d0fc17522ce7da1280869616a3f85e888c8687d781de97c0fdbb6e15ae91e2387</blockquote></p> </div> </div> </div> </body> </html>��

Extracted

Family

growtopia

https://discord.com/api/webhooks/780416990140694560/Rv9Dt6aXO_jwSBUytdlrYD0xRmVZ-TRjS-VN_rVJyUGInUZG9tQ74zrBQkWp8ra_rO6t

https://discord.com/api/webhooks/780417200812064838/AxlXPJdiiiyzr1AD-VwaKwgmi1d_r6kSqhEOkzYbJoTaBN4Mi8BeaLGVanbylFg2lyte

Attributes

payload_url
https://cdn.discordapp.com/attachments/652852711808565258/780420698606272512/d.png

https://cdn.discordapp.com/attachments/652852711808565258/780420220920791060/AOh14GjonoJ9cL49y6uZta-q3iCNSa-rfYbkn6UPvgs68-c-k-c0x00ffffff-no-rj-mo.png

Extracted

Family

bitrat

Version

1.32

192.236.195.143:44220

Attributes

communication_password
4d528518d1e67adc6d7688e281f1028d
install_dir
windows
install_file
tst.exe
tor_process
tor

Targets

- Target
  
  RNSM00409.7z
- Size
  
  21.9MB
- MD5
  
  2b3532d723da17993253cf1177d60353
- SHA1
  
  c3ba17fa6e7cba1d56b249d0172939a88479970f
- SHA256
  
  e9dcab6c8daf2d1e5e3bfb114abb6a712e3d88434f61e9e8a2e1fda67b12e0e6
- SHA512
  
  38b4d7ab086eba672aa5b562d669c345f20b5977c04440b306e34d6faac634409015ead030e74cc72fff612edb10bbba9b1b5d48cdd5b089a63a0d3242e65512
- SSDEEP
  
  393216:wtn7WUHzs1g6LuXtFVRCPbMzyBSUPNUz5udv8nH9jjiieVPSR7UMdka2G18hyHA9:qfkKnmPlXw5av8nH9q4YSka2XhyH8
Score

10^/10

bitrat darkcomet gandcrab growtopia suncrypt guest16 backdoor collection credential_access discovery evasion persistence ransomware rat spyware stealer trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Bitrat family
  bitrat
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Darkcomet family
  darkcomet
- Detected SunCrypt ransomware
  ransomware
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Gandcrab family
  gandcrab
- Growtopia
  Growtopa is an opensource modular stealer written in C#.
  stealer growtopia
- Growtopia family
  growtopia
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- SunCrypt Ransomware
  Family which threatens to leak data alongside encrypting files. Has claimed to be collaborating with the Maze ransomware group.
  ransomware suncrypt
- Suncrypt family
  suncrypt
- Suspicious use of NtCreateProcessExOtherParentProcess
- Windows security bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1