bitrat

General

Target

Gr93837650.vbs
Size

300.0MB
Sample

231013-qazg6shh6w
MD5

59b421c51cdf1ac9d35f879a0e5fc4f8
SHA1

9e6363720a27f6e73f9330cf2c240ed9ffa4e9a7
SHA256

ae080dec7fd62072cfbf9e4fe793bba4565826c3587050b321192aaf6a797e1d
SHA512

60b1b23af5fc9f6b7bcc4a61a9eaabc13a12591670095a10d858728e1141ae1fb5ac3efb11665c6a2d4f4cb3e54b84e3fd0cad10c5eaa7fb8b7c4b28a4991dae
SSDEEP

3072:kuF45hc52e8+T+XlWC64MtfuEwjP5DlV28+f6jWfV6Qo8+RZ8:FFwlizf6jWfVeR

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937

exe.dropper

https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937

Extracted

Family

bitrat

Version

1.38

C2

bit9090.duckdns.org:9090

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Targets

- Target
  
  Gr93837650.vbs
- Size
  
  300.0MB
- MD5
  
  59b421c51cdf1ac9d35f879a0e5fc4f8
- SHA1
  
  9e6363720a27f6e73f9330cf2c240ed9ffa4e9a7
- SHA256
  
  ae080dec7fd62072cfbf9e4fe793bba4565826c3587050b321192aaf6a797e1d
- SHA512
  
  60b1b23af5fc9f6b7bcc4a61a9eaabc13a12591670095a10d858728e1141ae1fb5ac3efb11665c6a2d4f4cb3e54b84e3fd0cad10c5eaa7fb8b7c4b28a4991dae
- SSDEEP
  
  3072:kuF45hc52e8+T+XlWC64MtfuEwjP5DlV28+f6jWfV6Qo8+RZ8:FFwlizf6jWfVeR
Score

10^/10

bitrat zgrat rat trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect ZGRat V1

ZGRat

Blocklisted process makes network request

Checks computer location settings

Drops startup file

UPX packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3