Manuel Statik Analiz (LLM Okumali) — BitRAT Discord CDN Dead-Drop | Tehdit: KRITIK

Dosya Kimligi

SHA256bfba1372de8815592db5b58d15e36ecfad1428bd34aea1161b3552cedbc6ca49
Boyut30.720 byte
Dil.NET Framework

C2 / Dead-Drop Altyapisi

Discord CDN Dead-Drop Tespit Edildi!
Stage 2 payload Discord CDN uzerinde bir MP3 dosyasi olarak gizlenmistir.
Discord CDN URLhttps://cdn.discordapp.com/attachments/1217028370865455188/1222062384437526538/Fdliipctaw.mp3
Discord Kanal ID1217028370865455188
Dosya AdiFdliipctaw.mp3 (MP3 kili#62;inda gizlenmis payload)
HMAC76c14076f197408a74d02bd5e16b3cfd0651a02372cd195e0f28026e0e131609

Discord CDN Kotu Amacli Kullanim Teknigi

Discord CDN (cdn.discordapp.com) serbestce erisilebilir bir dosya barindirma servisidir ve tehdit aktorleri tarafindan kotu amacli payload'lari dagitmak icin sikca kullanilmaktadir. Bu teknikte:

  • Stage 2 payload gercek bir MP3 gibi isimlendirilen bir Discord ek dosyasi olarak yuklenir
  • Stage 1 (bu ornek — loader), Discord CDN URL'ini indirerek calistirir
  • Discord CDN, kotu amacli icerigi gercek bir dosya paylasimi gibi gizler
  • AG filtreleri tarafindan Discord CDN engellenmez (meşru servis)

Bilinen BitRAT Yetenekleri

  • Tam uzaktan erisim (dosya, komut, ekran)
  • HVNC (Hidden VNC — gizli masaustu)
  • Kripto cüzdan calma
  • Keylogger + ekran goruntüsü
  • Sistem bilgisi toplama
  • Ters proxy
  • Botnet isletimi

IOC

SHA256bfba1372de8815592db5b58d15e36ecfad1428bd34aea1161b3552cedbc6ca49
Discord CDNcdn.discordapp.com/attachments/1217028370865455188/1222062384437526538/Fdliipctaw.mp3
Discord Kanal1217028370865455188
Stage 2 DosyaFdliipctaw.mp3 (sahte isim)

BitRAT — Malware Profile

BitRAT commercial RAT. golink.com dead drop C2. Windows Defender/SmartScreen/Security Guard full disable. SCMConfig LSA manipulation.

Malware Type
RAT
Programming Language
C++
C2 Protocol
TCP
Target Systems
Windows

Technical Details

C++, AES-256 sifreleme, TCP, Hidden VNC (UltraVNC tabanli), HVNC, Keylogger, Stealer, XMRig miner dahili, UAC bypass (CMSTPLUA/COMPUTERDEFAULTS), DDoS modulu

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (1 indicators)

IOC — BitRAT
# SHA256 bfba1372de8815592db5b58d15e36ecfad1428bd34aea1161b3552cedbc6ca49
TypeValueNote
sha256 bfba1372de8815592db5b58d15e36ecfad1428bd34aea1161b3552cedbc6ca49

C2 Servers (3 recorded servers for this family)

Address Type Port Protocol Status Country
cdn.discordapp.com domain 443 — active —
185.246.188.67 ip 9999 TCP inactive RU
cdn.discordapp.com/attachments/1217028370865455188/1222062384437526538/Fdliipctaw.mp3 domain 443 — inactive —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
bitratdiscord-cdndead-dropstage2mp3-masqueraderatdotnet