BitRAT is a hacking tool currently sold in several hacking forums. The developer added a malicious code inside the BitRAT code that can steal files.

RAT can be used after performing hardware authentication on the user's PC, and the file theft function is activated only after a certain period of time. The class names that perform the file stealing function are as follows.

When the thread of the Registry class is created, the Start() function becomes the starting point, and the excluded file extension, included word, and excluded word are initialized.

After initialization is completed, a thread(StopException()) for file search purposes and a thread(ResetException()) for encrypting the content of the file and transmitting it to the BitRAT server are newly created.

The two threads communicate using the Message Queue.

File Explore targets the entire physical drive. In particular, files compressed with zip extensions are also included in the target.

If a file that meets the conditions is found, the path of the file and the encrypted file content are transmitted to the BitRAT server.

Send URL : https://dazwsbqukb5y3xgl6qrmpdmbhk4tkuuuj2n2g73oiycwlj5b5zegmtad[.]onion/auth[.]php?h={PCHWID}

Method : POST Body : {Encrypted File Path, Contents}

BitRAT's server is Onion, so it is transmitted through Tor Proxy.

I will attach the cracked BitRAT file together.