Overview

overview

10

Static

static

3

cfbd28652b...08.exe

windows7-x64

10

cfbd28652b...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28-12-2023 07:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cfbd28652bdc2f1c3a30d6ad3a77d408.exe

  • Size

    1.8MB

  • MD5

    cfbd28652bdc2f1c3a30d6ad3a77d408

  • SHA1

    846254a9fd531785ffa0cfc34b30a6b47c4603d6

  • SHA256

    88a7e9929cb967f33475bc95d02e05449bcc7a04968777d5dffd3f33c8d1bad3

  • SHA512

    268a0fed1f93ad29138a03654cc5282ed09f3d6d9930282df2cdc46fc5851cc14d56a9833d899ebd8d80d3f6b611f00dc062143bf08ebf73e8c3863ad2f85a86

  • SSDEEP

    49152:JOxf2vTY5hgsgJ2a9N4FA3358pYwHvr/hou:pbEhda9N+A5UVhou

Score
10/10
bitratzgratrattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.35

C2

imen.ddns.net:1234

Attributes
  • communication_password

    fd1073eb898c17267347b0a3eb0d07b3

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfbd28652bdc2f1c3a30d6ad3a77d408.exe
    "C:\Users\Admin\AppData\Local\Temp\cfbd28652bdc2f1c3a30d6ad3a77d408.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ekleezyvovzpjcfscz.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\chrome\chrome\chrome.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2164
    • C:\Users\Admin\AppData\Local\Temp\cfbd28652bdc2f1c3a30d6ad3a77d408.exe
      C:\Users\Admin\AppData\Local\Temp\cfbd28652bdc2f1c3a30d6ad3a77d408.exe
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_Ekleezyvovzpjcfscz.vbs
    Filesize

    195B

    MD5

    752b55899ecc5e4dc8760996258a2ce3

    SHA1

    e256bf7781d5d6a7e6bc43072863e3d46b14f6ab

    SHA256

    2d07de2853865f08f0e92d50b34a51f1defc6cf0e54d2feb0e203cb6272bd8aa

    SHA512

    426d83b30727558918895b54d925777e7a352e8ab421b359b86e041e8c8625b812c7730acc6b8d6f04d7855b32da26bc956e07e56e5f26c7c5057e7f9ebd3876

    Download Submit
  • memory/1500-1472-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1500-1492-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/2164-1478-0x0000000073990000-0x0000000073F3B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2164-1479-0x0000000073990000-0x0000000073F3B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2164-1480-0x0000000002600000-0x0000000002640000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2164-1484-0x0000000073990000-0x0000000073F3B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2164-1482-0x0000000002600000-0x0000000002640000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2164-1481-0x0000000002600000-0x0000000002640000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2464-70-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-60-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-6-0x0000000005100000-0x0000000005140000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2464-7-0x00000000052E0000-0x0000000005488000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2464-8-0x00000000006D0000-0x0000000000728000-memory.dmp
    Filesize

    352KB

    Download
  • memory/2464-9-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-10-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-12-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-14-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-18-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-22-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-26-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-30-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-32-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-46-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-68-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-72-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-4-0x0000000074120000-0x000000007480E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2464-66-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-64-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-62-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-5-0x0000000005100000-0x0000000005140000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2464-58-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-56-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-54-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-52-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-50-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-48-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-44-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-42-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-40-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-38-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-36-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-34-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-28-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-24-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-3-0x0000000005100000-0x0000000005140000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2464-2-0x0000000005100000-0x0000000005140000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2464-1-0x0000000074120000-0x000000007480E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2464-0-0x0000000001050000-0x000000000122E000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2464-20-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-16-0x00000000006D0000-0x0000000000722000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2464-1475-0x0000000074120000-0x000000007480E000-memory.dmp
    Filesize

    6.9MB

    Download