bitrat | c3e53e28198dfe92caa7b46355f543dd18c0353ef42f2e28862682a79e863735

General

Target

122341d7b40c0ee5ad9eb4b5e56a5ed8.exe
Size

2.2MB
MD5

122341d7b40c0ee5ad9eb4b5e56a5ed8
SHA1

c1c929d53da34787cfd8381b3ea6a3c2c1ba1a33
SHA256

c3e53e28198dfe92caa7b46355f543dd18c0353ef42f2e28862682a79e863735
SHA512

50051b14cd8cd755fe68bbce63050c9db5bb0769ef75025ea634785fdc5af77b307b955f84381d6eb7dc698be406581ac5af2165666b9c0e42e6519765c3d5af
SSDEEP

49152:IODX0Ctbcjd/r7bDDjeDEngIJdaaT2imnlhLEyeHtwuSZNIQ:Ttb2HD1ngOTSnlBpCSuSZ

Score

10^/10

bitrat zgrat rat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

firewall.publicvm.com:25874

Attributes

communication_password
a20ba4fb329f7dc66c0dd3562e9f9984
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1708-23-0x0000000007EA0000-0x0000000007F0C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-33-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-49-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-75-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-87-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-85-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-83-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-81-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-79-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-77-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-73-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-71-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-69-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-67-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-65-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-63-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-61-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-59-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-57-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-55-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-53-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-51-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-47-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-45-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-43-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-41-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-39-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-37-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-35-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-31-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-29-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-27-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-25-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-24-0x0000000007EA0000-0x0000000007F06000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

122341d7b40c0ee5ad9eb4b5e56a5ed8.exe

description	pid	process	target process
PID 1708 wrote to memory of 1800	1708	122341d7b40c0ee5ad9eb4b5e56a5ed8.exe	powershell.exe
PID 1708 wrote to memory of 1800	1708	122341d7b40c0ee5ad9eb4b5e56a5ed8.exe	powershell.exe
PID 1708 wrote to memory of 1800	1708	122341d7b40c0ee5ad9eb4b5e56a5ed8.exe	powershell.exe
PID 1708 wrote to memory of 1800	1708	122341d7b40c0ee5ad9eb4b5e56a5ed8.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\122341d7b40c0ee5ad9eb4b5e56a5ed8.exe
"C:\Users\Admin\AppData\Local\Temp\122341d7b40c0ee5ad9eb4b5e56a5ed8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Write-Output Hello World
2⤵
PID:1800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Write-Output Hello World
2⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-61-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-19-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/1708-2-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/1708-1-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/1708-63-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-22-0x0000000008F80000-0x0000000009188000-memory.dmp

Filesize
2.0MB

Download
memory/1708-23-0x0000000007EA0000-0x0000000007F0C000-memory.dmp

Filesize
432KB

Download
memory/1708-33-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-65-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-2137-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/1708-24-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-25-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-49-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-75-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-87-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-85-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-83-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-81-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-79-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-77-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-73-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-71-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-69-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-67-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-27-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-20-0x0000000004E90000-0x0000000004ED0000-memory.dmp

Filesize
256KB

Download
memory/1708-0-0x0000000000180000-0x00000000003AE000-memory.dmp

Filesize
2.2MB

Download
memory/1708-59-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-57-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-55-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-53-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-51-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-47-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-45-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-43-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-41-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-39-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-37-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-35-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-31-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1708-29-0x0000000007EA0000-0x0000000007F06000-memory.dmp

Filesize
408KB

Download
memory/1800-6-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/1800-7-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-5-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-10-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-8-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/1800-9-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2672-2142-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2672-2151-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2988-17-0x000000006EE60000-0x000000006F40B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-18-0x000000006EE60000-0x000000006F40B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-16-0x000000006EE60000-0x000000006F40B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing