bitrat | fffa9ead850e0fcaf571a59b808bf2b2d25b465be4d7300b3f828c63ac779259 | Triage

Submit
Reports

Overview

overview

Static

static

3

2becacc546...0c.exe

windows7-x64

2becacc546...0c.exe

windows10-2004-x64

Sharing

General

Target

2becacc54640ee85368060f50cdf970c
Size

1.7MB
Sample

231231-hd5vcsadd5
MD5

2becacc54640ee85368060f50cdf970c
SHA1

fc5f72e653bcb507bbb0d8f95b14201930dc3eef
SHA256

fffa9ead850e0fcaf571a59b808bf2b2d25b465be4d7300b3f828c63ac779259
SHA512

29417107a44f9eef89d3ab35dd2ba52562f41651c04ebc2dd464a76b4a561fbf9aac5f8f35fb53b1f6d4ce8ea85cf66a038d530b6ca3e3368b8477a5da1f3c34
SSDEEP

49152:R1cDVEQUeU0PlCzs3nTGgVduWYwaIjctIPVWLp2y:weeUEbTGgOWY8j+z

Score

10^/10

bitrat zgrat persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2becacc54640ee85368060f50cdf970c.exe

Resource

win7-20231215-en

bitrat zgrat persistence rat trojan upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

2becacc54640ee85368060f50cdf970c.exe

Resource

win10v2004-20231215-en

zgrat persistence rat

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

dontreachme.duckdns.org:1337

Attributes

communication_password
7b24afc8bc80e548d66c4e7ff72171c5
tor_process
tor

Targets

- Target
  
  2becacc54640ee85368060f50cdf970c
- Size
  
  1.7MB
- MD5
  
  2becacc54640ee85368060f50cdf970c
- SHA1
  
  fc5f72e653bcb507bbb0d8f95b14201930dc3eef
- SHA256
  
  fffa9ead850e0fcaf571a59b808bf2b2d25b465be4d7300b3f828c63ac779259
- SHA512
  
  29417107a44f9eef89d3ab35dd2ba52562f41651c04ebc2dd464a76b4a561fbf9aac5f8f35fb53b1f6d4ce8ea85cf66a038d530b6ca3e3368b8477a5da1f3c34
- SSDEEP
  
  49152:R1cDVEQUeU0PlCzs3nTGgVduWYwaIjctIPVWLp2y:weeUEbTGgOWY8j+z
Score

10^/10

bitrat zgrat persistence rat trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Detect ZGRat V1
- Modifies WinLogon for persistence
  persistence
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bitratzgratpersistencerattrojanupx

behavioral2

zgratpersistencerat

© 2018-2024

Terms | Privacy