Malware Analysis Report

2025-01-03 05:01

Sample ID 231231-b5248aaca3
Target 233c0db3afe81ec0b12859e9ed2ad96e
SHA256 6c0b8d19ccb66f0fbe99c4882d620a3bc5c95a78e67a8fc7f69918c404bfd4a0
Tags
bitrat zgrat persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c0b8d19ccb66f0fbe99c4882d620a3bc5c95a78e67a8fc7f69918c404bfd4a0

Threat Level: Known bad

The file 233c0db3afe81ec0b12859e9ed2ad96e was found to be: Known bad.

Malicious Activity Summary

bitrat zgrat persistence rat trojan

Detect ZGRat V1

ZGRat

BitRAT

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 01:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 01:44

Reported

2024-01-05 02:40

Platform

win7-20231129-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe"

Signatures

BitRAT

trojan bitrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\work = "\"C:\\Users\\Admin\\AppData\\Roaming\\work.exe\"" C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1068 set thread context of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1068 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe

"C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe"

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 postal-23.ioomoo.xyz udp

Files

memory/1068-1-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/1068-0-0x0000000000150000-0x0000000000360000-memory.dmp

memory/1068-2-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

memory/1068-3-0x0000000073F30000-0x000000007461E000-memory.dmp

memory/1068-4-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

memory/1068-5-0x0000000008240000-0x0000000008448000-memory.dmp

memory/1068-6-0x0000000004E00000-0x0000000004E64000-memory.dmp

memory/1068-70-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-68-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-66-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-64-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-62-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-60-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-58-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-56-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-54-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-52-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-50-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-48-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-46-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-44-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-42-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-40-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-38-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-36-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-34-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-32-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-30-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-28-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-26-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-24-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-22-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-20-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-18-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-16-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-14-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-12-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-10-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-8-0x0000000004E00000-0x0000000004E5D000-memory.dmp

memory/1068-7-0x0000000004E00000-0x0000000004E5D000-memory.dmp

\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 f91d01b413ff1ece07790eef8d6da40b
SHA1 85283cdf9b5de60c68a9a0425b02eec69b5299e0
SHA256 38b441cef2c62b136a850af3e80da4128220be596ac036fbd06d0276630fdb7d
SHA512 88a02b5928d9ceb810dad68fe8ed1de8bddc9d4ecbf05c3f553f520ca45b17307bb076f6929382e8f52b7296271b26f53ca9e7f115f89250113cd8ec2e125ebf

memory/2768-2025-0x0000000000400000-0x00000000007CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1068-2020-0x0000000073F30000-0x000000007461E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 a69f57f28c5e49818ccdaa2fba762ca8
SHA1 20b6caa2b2becbffb78ebaf4b82a55b4ed8505c1
SHA256 ab47499fd33baf1e250b846fb5ca52333de7aa9f908615f771e2e3f6a7af440a
SHA512 997b64f139f702f222637fc38dd620fceba7a78ae6b14fc99782571e1d313707d0f17b509462fd4d51378ca02b684e9151f0044915776c616045d8093035ca7f

memory/2768-2038-0x0000000000400000-0x00000000007CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 01:44

Reported

2024-01-05 02:41

Platform

win10v2004-20231215-en

Max time kernel

28s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe

"C:\Users\Admin\AppData\Local\Temp\233c0db3afe81ec0b12859e9ed2ad96e.exe"

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 postal-23.ioomoo.xyz udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 postal-23.ioomoo.xyz udp
IE 20.223.35.26:443 tcp
IE 20.223.35.26:443 tcp
IE 20.223.35.26:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 postal-23.ioomoo.xyz udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 postal-23.ioomoo.xyz udp

Files

memory/2144-1-0x0000000000B30000-0x0000000000D40000-memory.dmp

memory/2144-3-0x0000000005780000-0x0000000005812000-memory.dmp

memory/2144-4-0x00000000059F0000-0x0000000005A00000-memory.dmp

memory/2144-2-0x0000000005E40000-0x00000000063E4000-memory.dmp

memory/2144-5-0x0000000005730000-0x000000000573A000-memory.dmp

memory/2144-0-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/2144-6-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/2144-7-0x00000000059F0000-0x0000000005A00000-memory.dmp

memory/2144-9-0x00000000071F0000-0x0000000007266000-memory.dmp

memory/2144-8-0x0000000006F60000-0x0000000007168000-memory.dmp

memory/2144-10-0x0000000007170000-0x00000000071D4000-memory.dmp

memory/2144-30-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-52-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-74-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-72-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-70-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-68-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-66-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-64-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-62-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-60-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-58-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-56-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-54-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-50-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-48-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-46-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-44-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-42-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-40-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-38-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-36-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-34-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-32-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-28-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-26-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-24-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-22-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-20-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-18-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-16-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-14-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-12-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-11-0x0000000007170000-0x00000000071CD000-memory.dmp

memory/2144-2003-0x0000000007CF0000-0x0000000007D0E000-memory.dmp

memory/2144-2017-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/740-2021-0x0000000074A50000-0x0000000074A89000-memory.dmp

memory/740-2029-0x0000000074E50000-0x0000000074E89000-memory.dmp

memory/740-2032-0x0000000074E50000-0x0000000074E89000-memory.dmp

memory/740-2035-0x0000000074E50000-0x0000000074E89000-memory.dmp

memory/740-2038-0x0000000074E50000-0x0000000074E89000-memory.dmp

memory/740-2041-0x0000000074E50000-0x0000000074E89000-memory.dmp

memory/740-2044-0x0000000074E50000-0x0000000074E89000-memory.dmp

memory/740-2047-0x0000000074E50000-0x0000000074E89000-memory.dmp