Live Stream VOD: BitRat Analysis (C++) - Part 1 (Patreon)

In this twitch stream we take our first look at RitRat, a C++ RAT that is sold and generally used for eCrime activity but has also been linked to nation-stage backed targeted attacks.

The functionality of this RAT is fairly straight forward but its use of the C++ Standard Template Library makes reverse engineering a challenge. This simple analysis turned into a three-part series where we attempted various C++ analysis plugins and techniques rather than focusing on the RAT specifically.

In this stream we try the new version of FLARE FLOSS for string decryption, ClassInformer for run-time-type information vtable annotation, and CAPA for functionality identification.

Heads UP: if you just want to learn how the BitRat config works and want a static extractor you can skip ahead to the Part 3 of the series. 

Sample

Packed 5e1ea26f5575e26857b209695de82207a04de0b0dc06f3645f776cc628440c46 [Malware Bazaar]

Unpacked 91e994fe2f5d97c9c7a8267ac900bd08d66c6e997397d01ccd15c0b301d98ea` [Malshare]

Notes

BitRat Explosed