BISTROMATH

By GoldSparrow in Trojans

Translate To:

The BISTROMATH RAT (Remote Access Trojan) is a newly uncovered piece of malware that seems to be the creation of North Korean cybercriminals. Cyber crooks and hacking groups from North Korea do not tend to target regular users online. Instead, they usually go after high-ranking government officials or large companies.

The BISTROMATH malware has a list of features that help it determinate if it is being executed in a sandbox environment or a regular system. To find this out, the BISTROMATH Trojan would check for:

Usernames and computer names that are known to be used by certain cybersecurity vendors.
The presence of software tools used for malware debugging.
The presence of VM (Virtual Machine) artifacts such as MAC addresses, registry entries, system drivers, services and others).
Active processes that are linked to various malware debugging applications and utilities.
Certain hardware settings, which are used on Vms commonly.

If the BISTROMATH RAT determines that it is running on a regular system and not a VM used for malware debugging, it will proceed with the attack as intended. The BISTROMATH malware is equipped to carry out three tasks to gain persistence on the compromised computer:

Copy its executable to the Windows Startup folder.
Set up a Registry key that makes sure the threat is executed every time the users restart their computers.
Create a new scheduled task, which would be executed hourly.

When the BISTROMATH threat gains persistence on the infected host successfully, it will connect to the attackers' C&C (Command & Control) server. The authors of the BISTROMATH malware will be able to execute numerous tasks on the compromised system, including:

Collecting files that are deemed to be of interest.
Collecting data from the user's clipboard.
Collecting cookies from the user's Web browser.
Collecting saved login credentials from the user's Web browser.
Recording the keystrokes of the user.
Executing remote commands.
Compiling a list of the active processes.
Managing the active processes.
Managing Windows services.
Taking screenshots of the user's desktop and active windows.

Malware researchers believe that the BISTROMATH RAT may belong to the arsenal of the HIDDEN COBRA hacking group, also known as the Lazarus APT (Advanced Persistent Threat). This hacking group is one of the most prominent cybercrime organizations in North Korea.

Table of Contents

File Details:

Sample: 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39
Name: 688890DDBF532A4DE7C83A58E6AA594F
Name: ss.exe
Size: 1102926 bytes
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 688890ddbf532a4de7c83a58e6aa594f
SHA1: d8f6a7f32c929ce9458691447ff1cf6d180588c8
SHA256: 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39
SHA512: 8484bea6adf27c2323632c3e94f91eb313e341622b5696b0d24105be1f24fa356f5fceb8fcf691e2d309fd24f7d8bb41fd7b682c29193128a0ed55e9ef3df3b1
ssdeep: 24576:kgWxnOH3vvS+7nD03glQ1J6cS2lvyip5HkRpB7T4IRMh3y:kgWZMvSKnY3DJLSoORT7ThAC
Entropy: 7.951069

Sample: 618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6
Name: 0AE8A7B6B4D70C0884095629FC02C19C
Name: CAgent11.exe
Size: 13498368 bytes
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 0ae8a7b6b4d70c0884095629fc02c19c
SHA1: 9efa2d68932ff24cb18eb7e35aa5f91ce99596e8
SHA256: 618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6
SHA512: 08f724812cbeff4020ac3fb07cafec5cde17f53f4644d554351cf4056907a6363d5b21ed3720976820307b43a543e81c6cc27c241f4449fd92aae6ad58b75995
ssdeep: 196608:Klq/1ui17DaLU1l4O5dm/+f99FLOyomFHKnPG:GcvlmLMg/299F
Entropy: 5.658332

Sample: b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32
Name: 26520499A3FC627D335E34586E99DE7A
Name: ADManager.exe
Size: 1120318 bytes
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 26520499a3fc627d335e34586e99de7a
SHA1: df10c097e42dbe7ea4478a984c5e2ab586147519
SHA256: b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32
SHA512: 898ab1a1cd5a731e94a7b4c0a274e81092fe6de2ea888b3db2d22cf4d0bacbbb36f486152ff10f61f054091aee421f00d89a8741fce0f370cc14d80a62f77bc3
ssdeep: 24576:3gWPfTO4H59Z6PTvnh2gf2JfvoioZ74XKBpNCY+SOToKMcxGa52w:3gW3S4Z9ATcggox4wpwYq9Mcx3B
Entropy: 7.953591

Sample: 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790
Name: C51416635E529183CA5337FADE82758A
Name: server.exe
Size: 947200 bytes
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: c51416635e529183ca5337fade82758a
SHA1: 830368d88b661d09c084e484713effb8d230d328
SHA256: 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790
SHA512: 244b67e0b9e9ab2fa6ccceeb4ad71207f1d8371af9c69af93bcc15cc8b592aca54e9c241d439b94ed28923d4622050fccdc38b326a8d15b824301cf0aae46cb0
ssdeep: 24576:9oV9SPwODditnxk93QKTrCEgqAGYOEgJZ+0Mn:9o2I2du23QxErv7ESZ+7n
Entropy: 6.703705

Sample: 04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30
Name: 96071956D4890AEBEA14ECD8015617CC
Name: CAgent11.exe
Size: 7014400 bytes
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 96071956d4890aebea14ecd8015617cc
SHA1: 49e16180795034a4888fff776968e29871f79340
SHA256: 04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30
SHA512: 29abd5fa0c24e42916631f830b6860027dcefdfd320978bee389e55f4f04278668ec4cfb67e5b1c8b7133338cc0fb09ffae28c5cf6d5226d1f9e44381db17c41
ssdeep: 98304:SC6l4uHxECiYwS2BsszjfisjJiBg1pDClmMFLOAkGkzdnEVomFHKnP:P44uHi0mFi+1p+FLOyomFHKnP
Entropy: 5.907837

Sample: 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c
Name: 83833f8dbdd6ecf3a1212f5d1fc3d9dd
Size: 905216 bytes
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: 83833f8dbdd6ecf3a1212f5d1fc3d9dd
SHA1: 77a2272633eb64e4c16f8ea4466dba59ecc92292
SHA256: 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c
SHA512: cda12a75b1d6524fe8856d6ef359ab58785e2c56ca4fec613b851a6730d24b8141dfdd00fba62f2865b8cc4606e85b258c02d71ccd45fcde769514eea88b23ff
ssdeep: 24576:AECw5N98knVurfj9gbYX91XdKo1ldrtD9:AECwz9fqfj59NwuldrF
Entropy: 6.710436

Sample: 133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f
Name: a21171923ec09b9569f2baad496c9e16
Size: 922624 bytes
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: a21171923ec09b9569f2baad496c9e16
SHA1: 35ba8e39e6c8234ad55baf27130bb696179b7681
SHA256: 133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f
SHA512: c1775b68b6b083323780150f6da654c6bcaf313b298fd243047402a0d0ec5631f8c90ed7ccc28ff4c1eaf2666e671b9c0f6bc068ca9e0655740834b31fa62bd9
ssdeep: 12288:KsukuhRC+VmUmEViUUwsaXpx3U09S5j4J6dxLqm1JaSjyQiEyDlZk7SxTmgaA6i:pukuhRC+Vr24v3qhdDaSuQCBZk7SUAB
Entropy: 6.678910

Aliases

14 security vendors flagged this file as malicious.

Anti-Virus Software	Detection
-	Backdoor.Androm.Win32.44606
-	Backdoor.Androm
TrendMicro	TROJ_FR.7170E263
TrendMicro	Backdoor/W32.Androm.1102926
-	trojan.injector
Symantec	Backdoor.Tidserv
Sophos	Troj/Inject-ETF
-	Trojan.Win32.Androm.ghyuau
Microsoft	Trojan:Win32/Agentesla!MTB
McAfee	Trojan-Injector.c
K7AntiVirus	Riskware ( 0040eff71 )
Ikarus	Trojan.Win32.Injector
-	Trojan.GenericKD.41987827 (B)
-	Win32/Injector.DQTY trojan variant

File System Details

BISTROMATH may create the following file(s):

Expand All | Collapse All

#	File Name	MD5
1.	1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39	688890ddbf532a4de7c83a58e6aa594f
Name: 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39 MD5: 688890ddbf532a4de7c83a58e6aa594f Size: 1.1 MB (1102926 bytes)
2.	618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6	0ae8a7b6b4d70c0884095629fc02c19c
Name: 618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6 MD5: 0ae8a7b6b4d70c0884095629fc02c19c Size: 13.49 MB (13498368 bytes)
3.	b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32	26520499a3fc627d335e34586e99de7a
Name: b6811b42023524e691b517d19d0321f890f91f35ebbdf1c12cbb92cda5b6de32 MD5: 26520499a3fc627d335e34586e99de7a Size: 1.12 MB (1120318 bytes)
4.	738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790	c51416635e529183ca5337fade82758a
Name: 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790 MD5: c51416635e529183ca5337fade82758a Size: 947.2 KB (947200 bytes)
5.	04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30	96071956d4890aebea14ecd8015617cc
Name: 04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30 MD5: 96071956d4890aebea14ecd8015617cc Size: 7.01 MB (7014400 bytes)
6.	43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c	83833f8dbdd6ecf3a1212f5d1fc3d9dd
Name: 43193c4efa8689ff6de3fb18e30607bb941b43abb21e8cee0cfd664c6f4ad97c MD5: 83833f8dbdd6ecf3a1212f5d1fc3d9dd Size: 905.21 KB (905216 bytes)
7.	133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f	a21171923ec09b9569f2baad496c9e16
Name: 133820ebac6e005737d5bb97a5db549490a9f210f4e95098bc9b0a7748f52d1f MD5: a21171923ec09b9569f2baad496c9e16 Size: 922.62 KB (922624 bytes)

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

BISTROMATH

File Details:

Aliases

File System Details

Submit Comment

Trending

'YouPorn' Email Scam

Safe Search Eng

Findtheirreport.com

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen