SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bit_rat (Back to overview)

BitRAT


There is no description at this point.

References
2021-09-20Trend MicroAliakbar Zahravi, William Gamazo Sanchez
@online{zahravi:20210920:water:63df486, author = {Aliakbar Zahravi and William Gamazo Sanchez}, title = {{Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads}}, date = {2021-09-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html}, language = {English}, urldate = {2021-09-22} } Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
Ave Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:d6456f8, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:9b97238, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-07-12Cipher Tech SolutionsMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:a3c66bf, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {Cipher Tech Solutions}, url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12IBMMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:1f66418, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {IBM}, url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-03-17HPHP Bromium
@techreport{bromium:20210317:threat:3aed551, author = {HP Bromium}, title = {{Threat Insights Report Q4-2020}}, date = {2021-03-17}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf}, language = {English}, urldate = {2021-03-19} } Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-02-16Check PointCheck Point Research
@online{research:20210216:apomacrosploit:91549e1, author = {Check Point Research}, title = {{ApoMacroSploit: Apocalyptical FUD race}}, date = {2021-02-16}, organization = {Check Point}, url = {https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/}, language = {English}, urldate = {2021-02-20} } ApoMacroSploit: Apocalyptical FUD race
BitRAT
2021-01-22Github (Finch4)Finch
@online{finch:20210122:malware:dd89716, author = {Finch}, title = {{Malware Analysis Report No2}}, date = {2021-01-22}, organization = {Github (Finch4)}, url = {https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md}, language = {English}, urldate = {2021-01-26} } Malware Analysis Report No2
BitRAT
2020-09-04KrabsOnSecurityMr. Krabs
@online{krabs:20200904:bitrat:bd0d3cd, author = {Mr. Krabs}, title = {{BitRAT pt. 2: Hidden Browser, SOCKS5 proxy, and UnknownProducts Unmasked}}, date = {2020-09-04}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/}, language = {English}, urldate = {2020-09-05} } BitRAT pt. 2: Hidden Browser, SOCKS5 proxy, and UnknownProducts Unmasked
BitRAT WebMonitor RAT
2020-08-22KrabsOnSecurityMr. Krabs
@online{krabs:20200822:bitrat:ce5d899, author = {Mr. Krabs}, title = {{BitRAT – The Latest in Copy-pasted Malware by Incompetent Developers}}, date = {2020-08-22}, organization = {KrabsOnSecurity}, url = {https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/}, language = {English}, urldate = {2020-08-25} } BitRAT – The Latest in Copy-pasted Malware by Incompetent Developers
BitRAT
Yara Rules
[TLP:WHITE] win_bit_rat_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_bit_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7ea 0facd00d 2943fc c1fa0d 83e901 75e4 8b7510 }
            // n = 7, score = 100
            //   f7ea                 | imul                edx
            //   0facd00d             | shrd                eax, edx, 0xd
            //   2943fc               | sub                 dword ptr [ebx - 4], eax
            //   c1fa0d               | sar                 edx, 0xd
            //   83e901               | sub                 ecx, 1
            //   75e4                 | jne                 0xffffffe6
            //   8b7510               | mov                 esi, dword ptr [ebp + 0x10]

        $sequence_1 = { ffb658010000 e8???????? 6a00 68???????? ffb660010000 e8???????? 6a00 }
            // n = 7, score = 100
            //   ffb658010000         | push                dword ptr [esi + 0x158]
            //   e8????????           |                     
            //   6a00                 | push                0
            //   68????????           |                     
            //   ffb660010000         | push                dword ptr [esi + 0x160]
            //   e8????????           |                     
            //   6a00                 | push                0

        $sequence_2 = { e8???????? c645fc03 53 ff15???????? ff15???????? 8d45cc 50 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   8d45cc               | lea                 eax, [ebp - 0x34]
            //   50                   | push                eax

        $sequence_3 = { e8???????? 8bd8 6a00 6a00 85db 7504 6a41 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   85db                 | test                ebx, ebx
            //   7504                 | jne                 6
            //   6a41                 | push                0x41

        $sequence_4 = { f20f110424 50 e8???????? 83c428 8bb574ffffff 0f57c9 f20f104608 }
            // n = 7, score = 100
            //   f20f110424           | movsd               qword ptr [esp], xmm0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c428               | add                 esp, 0x28
            //   8bb574ffffff         | mov                 esi, dword ptr [ebp - 0x8c]
            //   0f57c9               | xorps               xmm1, xmm1
            //   f20f104608           | movsd               xmm0, qword ptr [esi + 8]

        $sequence_5 = { f7c200010000 7552 80be3c01000010 7549 0fb78e56010000 bf01010000 0fafcf }
            // n = 7, score = 100
            //   f7c200010000         | test                edx, 0x100
            //   7552                 | jne                 0x54
            //   80be3c01000010       | cmp                 byte ptr [esi + 0x13c], 0x10
            //   7549                 | jne                 0x4b
            //   0fb78e56010000       | movzx               ecx, word ptr [esi + 0x156]
            //   bf01010000           | mov                 edi, 0x101
            //   0fafcf               | imul                ecx, edi

        $sequence_6 = { f644242401 895c2410 7413 83faff 0f84f5000000 42 89542414 }
            // n = 7, score = 100
            //   f644242401           | test                byte ptr [esp + 0x24], 1
            //   895c2410             | mov                 dword ptr [esp + 0x10], ebx
            //   7413                 | je                  0x15
            //   83faff               | cmp                 edx, -1
            //   0f84f5000000         | je                  0xfb
            //   42                   | inc                 edx
            //   89542414             | mov                 dword ptr [esp + 0x14], edx

        $sequence_7 = { ff7514 50 ff750c 57 e8???????? 83c420 5f }
            // n = 7, score = 100
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   50                   | push                eax
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c420               | add                 esp, 0x20
            //   5f                   | pop                 edi

        $sequence_8 = { eb0e 8b07 8bcf ff5004 84c0 7430 8b7f04 }
            // n = 7, score = 100
            //   eb0e                 | jmp                 0x10
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8bcf                 | mov                 ecx, edi
            //   ff5004               | call                dword ptr [eax + 4]
            //   84c0                 | test                al, al
            //   7430                 | je                  0x32
            //   8b7f04               | mov                 edi, dword ptr [edi + 4]

        $sequence_9 = { ffb486a8010000 56 e8???????? 8b0d???????? 83c420 8bf0 ff742428 }
            // n = 7, score = 100
            //   ffb486a8010000       | push                dword ptr [esi + eax*4 + 0x1a8]
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   83c420               | add                 esp, 0x20
            //   8bf0                 | mov                 esi, eax
            //   ff742428             | push                dword ptr [esp + 0x28]

    condition:
        7 of them and filesize < 19405824
}
[TLP:WHITE] win_bit_rat_w0   (20200828 | String-based rule for detecting BitRAT malware payload)
rule win_bit_rat_w0 {
    meta:
        author = "KrabsOnSecurity"
        date = "2020-8-22"
        description = "String-based rule for detecting BitRAT malware payload"
        source = "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat"
    malpedia_version = "20200828"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"
    strings:
        $tinynuke_paste1 = "TaskbarGlomLevel"
        $tinynuke_paste2 = "profiles.ini"
        $tinynuke_paste3 = "RtlCreateUserThread"
        $tinynuke_paste4 = "127.0.0.1"
        $tinynuke_paste5 = "Shell_TrayWnd"
        $tinynuke_paste6 = "cmd.exe /c start "
        $tinynuke_paste7 = "nss3.dll"
        $tinynuke_paste8 = "IsRelative="
        $tinynuke_paste9 = "-no-remote -profile "
        $tinynuke_paste10 = "AVE_MARIA"
        
        $commandline1 = "-prs" wide
        $commandline2 = "-wdkill" wide
        $commandline3 = "-uac" wide
        $commandline4 = "-fwa" wide
    condition:
        (8 of ($tinynuke_paste*)) and (3 of ($commandline*))
}
Download all Yara Rules