Live Stream VOD: BitRat Analysis (C++) - Part 2 (Patreon)

In this twitch stream we continue our three-part series on analyzing RitRat, a C++ RAT that is sold and generally used for eCrime activity but has also been linked to nation-stage backed targeted attacks.

The functionality of this RAT is fairly straight forward but its use of the C++ Standard Template Library makes reverse engineering a challenge. In this stream we try use BinDiff to annotate our IDB with the IDB of an older version of BitRat which was generously donated by KrabsOnSecurity.

We also discover that Lumina has incorrect function definitions for STL types, and we attempt to reconstruct the STL string types using a forked version of the HexRaysPyTools plugin from Mishap.

Heads UP: if you just want to learn how the BitRat config works and want a static extractor you can skip ahead to the Part 3 of the series. 

Heads UP Part 2: We ultimately use an incorrect struct definition for std::string which is why our IDB ends up messed up. If you want to see the correct definition skip ahead to Part 3! 

Sample

Packed: 5e1ea26f5575e26857b209695de82207a04de0b0dc06f3645f776cc628440c46 [Malware Bazaar]

Unpacked 91e994fe2f5d97c9c7a8267ac900bd08d66c6e997397d01ccd15c0b301d98ea3  [Malshare]

Notes

BitRat Explosed