{
	"id": "50eb65ca-76a2-4a5c-a10a-20763513514e",
	"created_at": "2026-04-06T00:08:45.538327Z",
	"updated_at": "2026-04-10T03:20:28.023717Z",
	"deleted_at": null,
	"sha1_hash": "c2f2af55a208e6619090e2bd9ea274aeedff5143",
	"title": "Malware-Analysis-Reports/13e0f258cfbe3aece8a7e6d29ceb5697/README.md at master · Finch4/Malware-Analysis-Reports",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 84954,
	"plain_text": "Malware-Analysis-Reports/13e0f258cfbe3aece8a7e6d29ceb5697/README.md at\r\nmaster · Finch4/Malware-Analysis-Reports\r\nBy Finch4\r\nArchived: 2026-04-05 13:25:11 UTC\r\nMalware Analysis Report N°2\r\n(Analysis of BitRat will be soon written, this is the analysis of the dropper)\r\nDate: 21/01/2021\r\nAuthor/s: Finch\r\nKey observation\r\nIndicators of compromise\r\nDelivery method\r\nSample indetification\r\nFile name, type, size\r\nFile hashes\r\nAnti-virus indentifiers\r\nDependencies\r\nSupported OS\r\nRequired libraries\r\nConfiguration file/s\r\nScript/s and Executable/s\r\nNetwork traffic\r\nSample identification\r\nInfection capabilities\r\nSelf-preservation capacity\r\nData leakage abilities\r\nRemote attacker interactions / C\u0026C\r\nObservations\r\nBehavioral analysis\r\nCode analysis\r\nDynamic code analysis\r\nMemory analysis\r\nSupporting figures\r\nLogs\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md\r\nPage 1 of 7\n\nStrings\r\nFunction listings\r\nScreenshots\r\nAdditional comments\r\nSummary of the analysis\r\nKey observation\r\nThe sample try to compromise the analysis by looking as a benign executable. All the malicious actions are based\r\non the resources of the executable.\r\nIndicators of compromise\r\nDrop ywlpCPZYAwl.exe in %appdata%/Roaming\r\nDrop tmpC51F.tmp in %appdata%/Roaming\r\nRegSvcs.exe running lonely and always.\r\nDelivery method\r\nThe delivery is made by email\r\nEmail example(Thanks to abuse_ch):\r\nMalspam distributing BitRAT:\r\nHELO: mxout.fullmarket-4.vautronserver.de\r\nSending IP: 151.252.48.227\r\nFrom: Accounts Payable - Rinaldi finance@chalet-almhuette.at\r\nReply-To: z0ais@newpacifis.com\r\nSubject: Re: Re: Re: Payment processed (Overdues)\r\nAttachment: Payment_receipt.img (contains \"Payment Confirmation Paper - Customer Copy_pdf.exe\")\r\nBitRAT C2: 195.206.105.10:3988\r\nSample identification\r\nFile name, type, size\r\nFile name: Payment Confirmation Paper - Customer Copy_pdf.exe\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md\r\nPage 2 of 7\n\nType: .NET\r\nSize: 4.39MB (4,607,488 bytes)\r\nSize on disk: 4.39MB (4,608,000 bytes)\r\nTargetFramework: .NETFramework,Version=v4.0\r\nAssembly title: Lerlibro INC\r\nAssembly company:\r\nAssembly product: Lerlibro INC\r\nFile hashes\r\n[Executable]\r\nMD5: 13e0f258cfbe3aece8a7e6d29ceb5697\r\nSHA1: 5890091bacde4d9d62ed76d32dfaefcaa5b988a4\r\nSHA256: 76e5467f267a4bca00af800094c3a92f6bd51de54737f07c533d091e2f219b40\r\nSHA384:\r\n076302660926159d03b133500395d172ee7269491b173ef1aee002c179c0b612af161be3980191a569d9157e30627084\r\nSSDEEP: 98304:1Unj6PEASk4gI/UqE2mCAc1XdZ2aRmPCBvfq:1U+PEZkFIMX2mbcrFBC\r\nhuman-hash: lemon-zebra-robert-paris\r\nAnti-virus indentifiers\r\nBitRat\r\nDependencies\r\nSupported OS\r\n.NET [The target is Windows]\r\nRequired libraries\r\n.NET\r\nConfiguration file/s\r\nNone\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md\r\nPage 3 of 7\n\nScript/s and Executable/s\r\nThe loaded executables are obfuscated with various techniques.\r\nNetwork traffic\r\n[Taken from JoeSandbox at the moment]\r\nbita.plumfixa.com\r\n149.154.167.220:443\r\nmyexternalip.com\r\n216.239.32.21 216.239.32.21\r\nSample identification\r\nInfection capabilities\r\nDrop BitRat, Rat\r\nSelf-preservation capacity\r\nTries to detect virtual machine. Scheduled Task. Various encryption. [See images for everything, unfortunately for\r\na few images I didn't take some return values] Process injection to RegScvs.exe\r\n[C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe] MD5:\r\n2867A3817C9245F7CF518524DFD18F28\r\nData leakage abilities\r\n[Analysis of dropper]\r\nRemote attacker interactions / C\u0026C\r\n[Taken from JoeSandbox at the moment]\r\napi.telegram.org\r\nhttps://api.telegram.org/bot1529818621:AAH0oTC63FmKKTVji9OyVqkhJRsIx42aBDU/getUpdates?offset=-56EBB3\r\nhttps://api.telegram.org/bot1529818621:AAH0oTC63FmKKTVji9OyVqkhJRsIx42aBDU/getUpdates?offset=-5BkIDB\r\nhttps://api.telegram.org/bot1529818621:AAH0oTC63FmKKTVji9OyVqkhJRsIx42aBDU/getUpdates?offset=-5DU/ge\r\nhttps://api.telegram.org/bot1529818621:AAH0oTC63FmKKTVji9OyVqkhJRsIx42aBDU/getUpdates?offset=-5FmKKT\r\nhttps://api.telegram.org/bot1529818621:AAH0oTC63FmKKTVji9OyVqkhJRsIx42aBDU/getUpdates?offset=-5LMEM\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md\r\nPage 4 of 7\n\nhttps://api.telegram.org/bot1529818621:AAH0oTC63FmKKTVji9OyVqkhJRsIx42aBDU/getUpdates?offset=-5TVjiC\r\nObservations\r\nBehavioral analysis\r\nExecutables dropping and decrypting. Invoke. Load Assembly. Windows api imports. Drop\r\n\\AppData\\Local\\Temp\\tmpC51F.tmp [Persistence] , \\AppData\\Roaming\\ywlpCPZYAwl.exe [To call a method from\r\nthe first sample that import ResumeThread]. Vm detection by:\r\nSee screenshots section\r\nProcess Injection [Target: RegScvs.exe]\r\nCode analysis\r\nThe code at first look seems a normal and benign executable. Looking at the resources we find two suspicious\r\nsamples:\r\nAn image named: \"StringComparison\"\r\nA string named: \"UrlIdentityPermission\" [Gzip compressed]\r\nThe method with the role of initializing the malicious behaviour is:\r\nobject WeakReference() contained in the class ProgIdRedirectionEntry() contained in the namespace\r\nLerlibro_INC The payload is first decoded using the function ArgCount [GZip decompress]\r\nDynamic code analysis\r\nAfter decoded the assembly will be loaded by the Assembly.Load() method,\r\nGetType(\"System.Activator\").GetMethods()[2].Invoke() will be called, so the malware will try to invoke a\r\nmethod and passing as parameters ConcurrentSet.ReadOnlyList , ConcurrentSet.PropagationFlags and\r\nLerlibro_INC -\u003e where ConcurrentSet.ReadOnlyList is StringComparison and\r\nConcurrentSet.PropagationFlags is kZYcCfRI we will see the the method tR accept three strings\r\nparameters and will perform the extraction of the payload from StringComparison and load it. [See screenshots\r\nfor more dynamic code analysis]\r\nMemory analysis\r\nNone\r\nSupporting figures\r\nLogs\r\nStrings\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md\r\nPage 5 of 7\n\nFunction listings\r\nKjL() is the first function with the role of detecting the virtual machine.\r\nflag11 will contain the result of KjL() .\r\norg.a6() the function will call CompareString to compare your username, with the attempt to detect the\r\nvirtual machine.\r\nor.VD() the function will call Contains to compare the sample name with the attempt to detect an\r\nanalysis environment.\r\ndP.djP() another function to detect virtual machine.\r\nScreenshots\r\n[Not everything is in order]\r\n[Missing arguments]\r\n[Missing arguments]\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md\r\nPage 6 of 7\n\n[The screenshot is called trick for the != , it will return true if is not detected]\r\n[See vmdetectionsnippet.cpp to understand]\r\n[Autoit detection]\r\n[See vmdetectionsnippet2.cpp to understand]\r\n[if flag11 == true , vm detected]\r\n[ case 0 == vmdetected ]\r\n[Video about the function nmI , incoming]\r\nAdditional comments\r\nThe dropper is similar to others seen used for others differents malware.\r\nSource: https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md\r\nhttps://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md"
	],
	"report_names": [
		"README.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434125,
	"ts_updated_at": 1775791228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c2f2af55a208e6619090e2bd9ea274aeedff5143.pdf",
		"text": "https://archive.orkl.eu/c2f2af55a208e6619090e2bd9ea274aeedff5143.txt",
		"img": "https://archive.orkl.eu/c2f2af55a208e6619090e2bd9ea274aeedff5143.jpg"
	}
}