Overview

overview

10

Static

static

3

d92e6b60ee...ba.exe

windows7-x64

10

d92e6b60ee...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28-12-2023 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d92e6b60eecc9c96a1ad74e2d5c9ccba.exe

  • Size

    2.3MB

  • MD5

    d92e6b60eecc9c96a1ad74e2d5c9ccba

  • SHA1

    d7fcb40fa9a63dfaef531600da64c135d3079bd2

  • SHA256

    8efce4180ae0e0f3c75dd2e13e44288c4352223f4b556c43bbb5cb96f8aec3ee

  • SHA512

    ef9430611ea5b79108481cfa80961c569f0e2df82503afedff382f4f9bb0ed8227687a46b1c4e14af5692d81031b17c0c2bdb19bfac59cc59f3c3b099a332f37

  • SSDEEP

    24576:FD+2lLAnMrJAmvGlBla8SmYU05za8oq9xKG+K/jAnKeL5qTZBHR1k85onek0nn15:FLuMNdGddGxsKrAEZZR1KneNBL2NuW

Score
10/10
bitratzgratpersistencerattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

37.0.10.19:5678

Attributes
  • communication_password

    674f3c2c1a8a6f90461e8a66fb5550ba

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d92e6b60eecc9c96a1ad74e2d5c9ccba.exe
    "C:\Users\Admin\AppData\Local\Temp\d92e6b60eecc9c96a1ad74e2d5c9ccba.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Rbtqvuqexxqqfvkdqsvr.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Programs\Steam.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2568
    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_Rbtqvuqexxqqfvkdqsvr.vbs
    Filesize

    144B

    MD5

    3ecf68c532c2878c3e453e4ec5b53014

    SHA1

    1198fb13796e31dbfa8d5d624126dc80a5abb26e

    SHA256

    78c0bc46d3ec284c3a551fe7fffc6961eb986d87bcb30e35dc62f303b822c1b3

    SHA512

    ae34c5d5d55d15bae771746b6fc0358f5d9663123a788cd46f632d3d3aee90ec8265b4bb258971fc9e05230a8a4fdaeca309a920b97a2b2ec200c2b533515a3f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    b58b926c3574d28d5b7fdd2ca3ec30d5

    SHA1

    d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

    SHA256

    6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

    SHA512

    b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

    Download Submit
  • memory/1956-2247-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1956-2264-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/2068-1-0x00000000745D0000-0x0000000074CBE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2068-0-0x0000000000990000-0x0000000000BEC000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/2068-2-0x00000000005F0000-0x0000000000630000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2068-3-0x00000000745D0000-0x0000000074CBE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2068-4-0x00000000005F0000-0x0000000000630000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2068-5-0x00000000005F0000-0x0000000000630000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2068-6-0x0000000005B00000-0x0000000005CB2000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2068-7-0x0000000000460000-0x00000000004D8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/2068-25-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-39-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-47-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-53-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-63-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-67-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-71-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-69-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-65-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-61-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-59-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-57-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-55-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-51-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-49-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-45-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-43-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-41-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-37-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-35-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-33-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-31-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-29-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-27-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-23-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-21-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-19-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-17-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-15-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-13-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-11-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-9-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-8-0x0000000000460000-0x00000000004D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2068-2220-0x00000000005F0000-0x0000000000630000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2068-2242-0x00000000745D0000-0x0000000074CBE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2568-2251-0x0000000073DA0000-0x000000007434B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2568-2252-0x0000000073DA0000-0x000000007434B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2568-2253-0x00000000025F0000-0x0000000002630000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2568-2254-0x00000000025F0000-0x0000000002630000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2568-2255-0x0000000073DA0000-0x000000007434B000-memory.dmp
    Filesize

    5.7MB

    Download