bitrat | 8c6def7156f6454a1808ed54b64cad4a73a6b3436e865c24093c30867521dfd1

Analysis

max time kernel
223s
max time network
264s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d9dfc0971be7360a5edb4152a085eec.exe
Size

5.2MB
MD5

8d9dfc0971be7360a5edb4152a085eec
SHA1

cd86740a05e8424179c9d9c72569441884e32f99
SHA256

8c6def7156f6454a1808ed54b64cad4a73a6b3436e865c24093c30867521dfd1
SHA512

1eece4d23e978e572e75a521bee3601f116405a60215e4f3a884df7c1b5ccd417512fe14fed324ca314d3503ebe5ffe34a06b34ea81bfc184e825fe8537ae3c9
SSDEEP

98304:46fqvmOYd4PtLqYjoVYX4ozPeto3kvm+bsmIm2cUEKtUqvSC4GTOBehy51gK:40pOYAtdoWooCSiZl2zE8vSC4y

Score

10^/10

bitrat zgrat rat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

omeno.duckdns.org:5867

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/3260-16-0x0000000001850000-0x0000000001866000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinTUJ.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinTUJ.exe	Powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2888	8d9dfc0971be7360a5edb4152a085eec.exe
2480	8d9dfc0971be7360a5edb4152a085eec.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2480-24-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-30-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-33-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-35-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-34-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-39-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-42-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-41-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-44-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-45-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-43-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-46-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-47-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-49-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-50-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-64-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-67-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral2/memory/2480-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2480	8d9dfc0971be7360a5edb4152a085eec.exe
2480	8d9dfc0971be7360a5edb4152a085eec.exe
2480	8d9dfc0971be7360a5edb4152a085eec.exe
2480	8d9dfc0971be7360a5edb4152a085eec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3260 set thread context of 2480	3260	8d9dfc0971be7360a5edb4152a085eec.exe	95

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
552	Powershell.exe
3260	8d9dfc0971be7360a5edb4152a085eec.exe
3260	8d9dfc0971be7360a5edb4152a085eec.exe
552	Powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	Powershell.exe
Token: SeDebugPrivilege	3260	8d9dfc0971be7360a5edb4152a085eec.exe
Token: SeShutdownPrivilege	2480	8d9dfc0971be7360a5edb4152a085eec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2480	8d9dfc0971be7360a5edb4152a085eec.exe
2480	8d9dfc0971be7360a5edb4152a085eec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 552	3260	8d9dfc0971be7360a5edb4152a085eec.exe	92
PID 3260 wrote to memory of 552	3260	8d9dfc0971be7360a5edb4152a085eec.exe	92
PID 3260 wrote to memory of 552	3260	8d9dfc0971be7360a5edb4152a085eec.exe	92
PID 3260 wrote to memory of 2888	3260	8d9dfc0971be7360a5edb4152a085eec.exe	94
PID 3260 wrote to memory of 2888	3260	8d9dfc0971be7360a5edb4152a085eec.exe	94
PID 3260 wrote to memory of 2888	3260	8d9dfc0971be7360a5edb4152a085eec.exe	94
PID 3260 wrote to memory of 2480	3260	8d9dfc0971be7360a5edb4152a085eec.exe	95
PID 3260 wrote to memory of 2480	3260	8d9dfc0971be7360a5edb4152a085eec.exe	95
PID 3260 wrote to memory of 2480	3260	8d9dfc0971be7360a5edb4152a085eec.exe	95
PID 3260 wrote to memory of 2480	3260	8d9dfc0971be7360a5edb4152a085eec.exe	95
PID 3260 wrote to memory of 2480	3260	8d9dfc0971be7360a5edb4152a085eec.exe	95
PID 3260 wrote to memory of 2480	3260	8d9dfc0971be7360a5edb4152a085eec.exe	95
PID 3260 wrote to memory of 2480	3260	8d9dfc0971be7360a5edb4152a085eec.exe	95

C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe
"C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinTUJ.exe'
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe
  "C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe
  "C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe

Filesize
1.2MB

MD5
3882e601f96c93011ce264fc40662f17

SHA1
b25a3d87d9edff10e778591961eee2beae2a4f07

SHA256
e323601c7d09e4be53d1170f398e5afea7afc9aeae5e42582b7bc818f90bc620

SHA512
20813f0c8876e05a6727aba9aedba0eabc863418bef827e42438281b46ed0472db6262e1bd0de250e7dce525b09fb1e28c0989b569648dca284ee9e7b4ad1407

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d9dfc0971be7360a5edb4152a085eec.exe

Filesize
797KB

MD5
e6dffd8a86c453c57c131c478f759fa7

SHA1
af0efc989f8a12fad77513a954d11d24bf5e297f

SHA256
8c26e05bdb241c694caa3565597b0163cb487b24c0d6351f552bf31fcc1ca5f3

SHA512
d35e683d0794abdfb2e69ea9d93130c3985a482d07341b80315c4a9610a4df702eda62871cf0f31ff9e042389da26a01eb6d189a1481cca1ca14fde829124edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xk1dq4yl.dsh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/552-54-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/552-31-0x0000000005F40000-0x0000000006294000-memory.dmp

Filesize
3.3MB

Download
memory/552-61-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/552-55-0x0000000006990000-0x0000000006A26000-memory.dmp

Filesize
600KB

Download
memory/552-56-0x00000000068C0000-0x00000000068DA000-memory.dmp

Filesize
104KB

Download
memory/552-57-0x0000000006920000-0x0000000006942000-memory.dmp

Filesize
136KB

Download
memory/552-53-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/552-10-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/552-12-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/552-11-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

Filesize
64KB

Download
memory/552-13-0x0000000005640000-0x0000000005C68000-memory.dmp

Filesize
6.2MB

Download
memory/552-14-0x0000000005370000-0x0000000005392000-memory.dmp

Filesize
136KB

Download
memory/552-52-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/552-15-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/552-9-0x00000000029F0000-0x0000000002A26000-memory.dmp

Filesize
216KB

Download
memory/552-22-0x0000000005DD0000-0x0000000005E36000-memory.dmp

Filesize
408KB

Download
memory/552-38-0x00000000064A0000-0x00000000064EC000-memory.dmp

Filesize
304KB

Download
memory/552-37-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/2480-40-0x000000006FF50000-0x000000006FF89000-memory.dmp

Filesize
228KB

Download
memory/2480-44-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-71-0x0000000074E10000-0x0000000074E49000-memory.dmp

Filesize
228KB

Download
memory/2480-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-35-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-34-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-30-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-24-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-39-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-41-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-67-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-33-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-45-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-43-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-46-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-47-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-48-0x000000006FF10000-0x000000006FF49000-memory.dmp

Filesize
228KB

Download
memory/2480-49-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-51-0x000000006FF10000-0x000000006FF49000-memory.dmp

Filesize
228KB

Download
memory/2480-50-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-68-0x0000000074E10000-0x0000000074E49000-memory.dmp

Filesize
228KB

Download
memory/2480-42-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-65-0x0000000074E10000-0x0000000074E49000-memory.dmp

Filesize
228KB

Download
memory/2480-64-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2480-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3260-4-0x0000000006960000-0x0000000006E88000-memory.dmp

Filesize
5.2MB

Download
memory/3260-5-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/3260-6-0x0000000006180000-0x000000000621C000-memory.dmp

Filesize
624KB

Download
memory/3260-7-0x00000000060D0000-0x00000000060E0000-memory.dmp

Filesize
64KB

Download
memory/3260-8-0x00000000060D0000-0x00000000060E0000-memory.dmp

Filesize
64KB

Download
memory/3260-1-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/3260-16-0x0000000001850000-0x0000000001866000-memory.dmp

Filesize
88KB

Download
memory/3260-3-0x0000000005EF0000-0x0000000005F82000-memory.dmp

Filesize
584KB

Download
memory/3260-2-0x00000000063B0000-0x0000000006954000-memory.dmp

Filesize
5.6MB

Download
memory/3260-36-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/3260-0-0x0000000000E80000-0x00000000013BE000-memory.dmp

Filesize
5.2MB

Download