bitrat | 88a7e9929cb967f33475bc95d02e05449bcc7a04968777d5dffd3f33c8d1bad3

Analysis

max time kernel
143s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfbd28652bdc2f1c3a30d6ad3a77d408.exe
Size

1.8MB
MD5

cfbd28652bdc2f1c3a30d6ad3a77d408
SHA1

846254a9fd531785ffa0cfc34b30a6b47c4603d6
SHA256

88a7e9929cb967f33475bc95d02e05449bcc7a04968777d5dffd3f33c8d1bad3
SHA512

268a0fed1f93ad29138a03654cc5282ed09f3d6d9930282df2cdc46fc5851cc14d56a9833d899ebd8d80d3f6b611f00dc062143bf08ebf73e8c3863ad2f85a86
SSDEEP

49152:JOxf2vTY5hgsgJ2a9N4FA3358pYwHvr/hou:pbEhda9N+A5UVhou

Score

10^/10

bitrat zgrat rat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.35

imen.ddns.net:1234

Attributes

communication_password
fd1073eb898c17267347b0a3eb0d07b3
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2464-8-0x00000000006D0000-0x0000000000728000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-9-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-10-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-12-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-14-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-18-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-22-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-26-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-30-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-32-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-46-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-68-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-72-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-70-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-66-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-64-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-62-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-60-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-58-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-56-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-54-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-52-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-50-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-48-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-44-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-42-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-40-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-38-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-36-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-34-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-28-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-24-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-20-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1
behavioral1/memory/2464-16-0x00000000006D0000-0x0000000000722000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1500-1472-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1500-1492-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1500	cfbd28652bdc2f1c3a30d6ad3a77d408.exe
1500	cfbd28652bdc2f1c3a30d6ad3a77d408.exe
1500	cfbd28652bdc2f1c3a30d6ad3a77d408.exe
1500	cfbd28652bdc2f1c3a30d6ad3a77d408.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 1500	2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe
2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe
2164	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1500	cfbd28652bdc2f1c3a30d6ad3a77d408.exe
Token: SeShutdownPrivilege	1500	cfbd28652bdc2f1c3a30d6ad3a77d408.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1500	cfbd28652bdc2f1c3a30d6ad3a77d408.exe
1500	cfbd28652bdc2f1c3a30d6ad3a77d408.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2124	2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe	30
PID 2464 wrote to memory of 2124	2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe	30
PID 2464 wrote to memory of 2124	2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe	30
PID 2464 wrote to memory of 2124	2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe	30
PID 2124 wrote to memory of 2164	2124	WScript.exe	31
PID 2124 wrote to memory of 2164	2124	WScript.exe	31
PID 2124 wrote to memory of 2164	2124	WScript.exe	31
PID 2124 wrote to memory of 2164	2124	WScript.exe	31
PID 2464 wrote to memory of 1500	2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe	32
PID 2464 wrote to memory of 1500	2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe	32
PID 2464 wrote to memory of 1500	2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe	32
PID 2464 wrote to memory of 1500	2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe	32
PID 2464 wrote to memory of 1500	2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe	32
PID 2464 wrote to memory of 1500	2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe	32
PID 2464 wrote to memory of 1500	2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe	32
PID 2464 wrote to memory of 1500	2464	cfbd28652bdc2f1c3a30d6ad3a77d408.exe	32

C:\Users\Admin\AppData\Local\Temp\cfbd28652bdc2f1c3a30d6ad3a77d408.exe
"C:\Users\Admin\AppData\Local\Temp\cfbd28652bdc2f1c3a30d6ad3a77d408.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ekleezyvovzpjcfscz.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\chrome\chrome\chrome.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- C:\Users\Admin\AppData\Local\Temp\cfbd28652bdc2f1c3a30d6ad3a77d408.exe
  C:\Users\Admin\AppData\Local\Temp\cfbd28652bdc2f1c3a30d6ad3a77d408.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Ekleezyvovzpjcfscz.vbs

Filesize
195B

MD5
752b55899ecc5e4dc8760996258a2ce3

SHA1
e256bf7781d5d6a7e6bc43072863e3d46b14f6ab

SHA256
2d07de2853865f08f0e92d50b34a51f1defc6cf0e54d2feb0e203cb6272bd8aa

SHA512
426d83b30727558918895b54d925777e7a352e8ab421b359b86e041e8c8625b812c7730acc6b8d6f04d7855b32da26bc956e07e56e5f26c7c5057e7f9ebd3876

Download Submit
memory/1500-1472-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1500-1492-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2164-1478-0x0000000073990000-0x0000000073F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-1479-0x0000000073990000-0x0000000073F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-1480-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/2164-1484-0x0000000073990000-0x0000000073F3B000-memory.dmp

Filesize
5.7MB

Download
memory/2164-1482-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/2164-1481-0x0000000002600000-0x0000000002640000-memory.dmp

Filesize
256KB

Download
memory/2464-70-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-60-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-6-0x0000000005100000-0x0000000005140000-memory.dmp

Filesize
256KB

Download
memory/2464-7-0x00000000052E0000-0x0000000005488000-memory.dmp

Filesize
1.7MB

Download
memory/2464-8-0x00000000006D0000-0x0000000000728000-memory.dmp

Filesize
352KB

Download
memory/2464-9-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-10-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-12-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-14-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-18-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-22-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-26-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-30-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-32-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-46-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-68-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-72-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-4-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2464-66-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-64-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-62-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-5-0x0000000005100000-0x0000000005140000-memory.dmp

Filesize
256KB

Download
memory/2464-58-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-56-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-54-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-52-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-50-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-48-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-44-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-42-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-40-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-38-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-36-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-34-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-28-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-24-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-3-0x0000000005100000-0x0000000005140000-memory.dmp

Filesize
256KB

Download
memory/2464-2-0x0000000005100000-0x0000000005140000-memory.dmp

Filesize
256KB

Download
memory/2464-1-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2464-0-0x0000000001050000-0x000000000122E000-memory.dmp

Filesize
1.9MB

Download
memory/2464-20-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-16-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2464-1475-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download