bitrat | 8c6def7156f6454a1808ed54b64cad4a73a6b3436e865c24093c30867521dfd1

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d9dfc0971be7360a5edb4152a085eec.exe
Size

5.2MB
MD5

8d9dfc0971be7360a5edb4152a085eec
SHA1

cd86740a05e8424179c9d9c72569441884e32f99
SHA256

8c6def7156f6454a1808ed54b64cad4a73a6b3436e865c24093c30867521dfd1
SHA512

1eece4d23e978e572e75a521bee3601f116405a60215e4f3a884df7c1b5ccd417512fe14fed324ca314d3503ebe5ffe34a06b34ea81bfc184e825fe8537ae3c9
SSDEEP

98304:46fqvmOYd4PtLqYjoVYX4ozPeto3kvm+bsmIm2cUEKtUqvSC4GTOBehy51gK:40pOYAtdoWooCSiZl2zE8vSC4y

Score

10^/10

bitrat zgrat rat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

omeno.duckdns.org:5867

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/1964-11-0x0000000000380000-0x0000000000396000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinTUJ.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinTUJ.exe	Powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2484	8d9dfc0971be7360a5edb4152a085eec.exe

Loads dropped DLL 1 IoCs

pid	Process
1964	8d9dfc0971be7360a5edb4152a085eec.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2484-15-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-16-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-19-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-23-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-21-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-25-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-27-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-28-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-30-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-31-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-32-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-33-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-34-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-37-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-38-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-39-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-40-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-41-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-42-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-43-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-44-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-45-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-46-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-47-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-48-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-49-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-50-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2484-51-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2484	8d9dfc0971be7360a5edb4152a085eec.exe
2484	8d9dfc0971be7360a5edb4152a085eec.exe
2484	8d9dfc0971be7360a5edb4152a085eec.exe
2484	8d9dfc0971be7360a5edb4152a085eec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 2484	1964	8d9dfc0971be7360a5edb4152a085eec.exe	32

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2420	Powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	Powershell.exe
Token: SeDebugPrivilege	2484	8d9dfc0971be7360a5edb4152a085eec.exe
Token: SeShutdownPrivilege	2484	8d9dfc0971be7360a5edb4152a085eec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2484	8d9dfc0971be7360a5edb4152a085eec.exe
2484	8d9dfc0971be7360a5edb4152a085eec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2420	1964	8d9dfc0971be7360a5edb4152a085eec.exe	30
PID 1964 wrote to memory of 2420	1964	8d9dfc0971be7360a5edb4152a085eec.exe	30
PID 1964 wrote to memory of 2420	1964	8d9dfc0971be7360a5edb4152a085eec.exe	30
PID 1964 wrote to memory of 2420	1964	8d9dfc0971be7360a5edb4152a085eec.exe	30
PID 1964 wrote to memory of 2484	1964	8d9dfc0971be7360a5edb4152a085eec.exe	32
PID 1964 wrote to memory of 2484	1964	8d9dfc0971be7360a5edb4152a085eec.exe	32
PID 1964 wrote to memory of 2484	1964	8d9dfc0971be7360a5edb4152a085eec.exe	32
PID 1964 wrote to memory of 2484	1964	8d9dfc0971be7360a5edb4152a085eec.exe	32
PID 1964 wrote to memory of 2484	1964	8d9dfc0971be7360a5edb4152a085eec.exe	32
PID 1964 wrote to memory of 2484	1964	8d9dfc0971be7360a5edb4152a085eec.exe	32
PID 1964 wrote to memory of 2484	1964	8d9dfc0971be7360a5edb4152a085eec.exe	32
PID 1964 wrote to memory of 2484	1964	8d9dfc0971be7360a5edb4152a085eec.exe	32

C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe
"C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinTUJ.exe'
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe
  "C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe

Filesize
2.7MB

MD5
9bcc1d31e1acbc1c4c17829a02a6ac26

SHA1
95223b7af13fc7be7716310cd1a050071f39906a

SHA256
056d4a109ae2c3c48df813291c7331c61a005f1ba1ab56eff0eff100479cbc9d

SHA512
cdc5c588f0ea0a9961cfa83a4102c26e9e99b594c557ffb42ee00a1290ebf372fa21fb08749aff5f550150cfa0142b16cb124b9b4632c6cdbdeb083559a0ef71

Download Submit
\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe

Filesize
2.5MB

MD5
c918f21da72ae048f1499a7c59675285

SHA1
252f18b33fd6ac0a06a0e9902f5e6ffcbf56a779

SHA256
44b0e82f4deed3d7f5b4286e0f05ac08a76b0a3ff1d3f91cb2bcd3cda4dde689

SHA512
a2f8cf57e30f9f782ec7dc564e931829636986aa818d55b73a48a87a5a56d3a83f9d81d0d705cf8d07226d6f032f119a470a4720796e29c3b4f0e3cc59ca7716

Download Submit
memory/1964-0-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-2-0x0000000005370000-0x0000000005898000-memory.dmp

Filesize
5.2MB

Download
memory/1964-3-0x00000000010D0000-0x0000000001110000-memory.dmp

Filesize
256KB

Download
memory/1964-4-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-5-0x00000000010D0000-0x0000000001110000-memory.dmp

Filesize
256KB

Download
memory/1964-1-0x0000000001260000-0x000000000179E000-memory.dmp

Filesize
5.2MB

Download
memory/1964-22-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-11-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/2420-26-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/2420-10-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/2420-36-0x000000006FD20000-0x00000000702CB000-memory.dmp

Filesize
5.7MB

Download
memory/2420-12-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/2420-8-0x000000006FD20000-0x00000000702CB000-memory.dmp

Filesize
5.7MB

Download
memory/2420-9-0x000000006FD20000-0x00000000702CB000-memory.dmp

Filesize
5.7MB

Download
memory/2484-32-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-37-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-23-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-21-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2484-25-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-16-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-27-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-28-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-30-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-31-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-15-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-33-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-34-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-14-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-19-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-38-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-39-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-40-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-41-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-42-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-43-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-44-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-45-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-46-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-47-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-48-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-49-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-50-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2484-51-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download