bitrat | fffa9ead850e0fcaf571a59b808bf2b2d25b465be4d7300b3f828c63ac779259

General

Target

2becacc54640ee85368060f50cdf970c.exe
Size

1.7MB
MD5

2becacc54640ee85368060f50cdf970c
SHA1

fc5f72e653bcb507bbb0d8f95b14201930dc3eef
SHA256

fffa9ead850e0fcaf571a59b808bf2b2d25b465be4d7300b3f828c63ac779259
SHA512

29417107a44f9eef89d3ab35dd2ba52562f41651c04ebc2dd464a76b4a561fbf9aac5f8f35fb53b1f6d4ce8ea85cf66a038d530b6ca3e3368b8477a5da1f3c34
SSDEEP

49152:R1cDVEQUeU0PlCzs3nTGgVduWYwaIjctIPVWLp2y:weeUEbTGgOWY8j+z

Score

10^/10

bitrat zgrat persistence rat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

dontreachme.duckdns.org:1337

Attributes

communication_password
7b24afc8bc80e548d66c4e7ff72171c5
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2512-6-0x0000000000850000-0x00000000008C8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-8-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-10-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-7-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-12-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-14-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-16-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-18-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-20-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-30-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-46-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-50-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-54-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-52-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-56-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-58-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-60-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-70-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-68-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-66-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-64-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-62-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-48-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-44-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-42-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-40-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-38-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-36-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-34-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-32-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-28-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-26-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-24-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2512-22-0x0000000000850000-0x00000000008C1000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

2becacc54640ee85368060f50cdf970c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\JavaUpdate\\JavaUpdate.exe\","	2becacc54640ee85368060f50cdf970c.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 1 IoCs

Processes:

RegAsm.exe

pid process

2252 RegAsm.exe
Loads dropped DLL 2 IoCs

Processes:

2becacc54640ee85368060f50cdf970c.exeRegAsm.exe

pid process

2512 2becacc54640ee85368060f50cdf970c.exe
2252 RegAsm.exe

pid	process
2252	RegAsm.exe

pid	process
2512	2becacc54640ee85368060f50cdf970c.exe
2252	RegAsm.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2252-2426-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2252-2444-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

RegAsm.exe

pid process

2252 RegAsm.exe
2252 RegAsm.exe
2252 RegAsm.exe
2252 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

2becacc54640ee85368060f50cdf970c.exe

description pid process target process

PID 2512 set thread context of 2252 2512 2becacc54640ee85368060f50cdf970c.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

2becacc54640ee85368060f50cdf970c.exepowershell.exe

pid process

2512 2becacc54640ee85368060f50cdf970c.exe
2512 2becacc54640ee85368060f50cdf970c.exe
1916 powershell.exe

pid	process
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe
2252	RegAsm.exe

description	pid	process	target process
PID 2512 set thread context of 2252	2512	2becacc54640ee85368060f50cdf970c.exe	RegAsm.exe

pid	process
2512	2becacc54640ee85368060f50cdf970c.exe
2512	2becacc54640ee85368060f50cdf970c.exe
1916	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2becacc54640ee85368060f50cdf970c.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2512	2becacc54640ee85368060f50cdf970c.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2252	RegAsm.exe
Token: SeShutdownPrivilege	2252	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

2252 RegAsm.exe
2252 RegAsm.exe

pid	process
2252	RegAsm.exe
2252	RegAsm.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

2becacc54640ee85368060f50cdf970c.exeWScript.exe

description	pid	process	target process
PID 2512 wrote to memory of 532	2512	2becacc54640ee85368060f50cdf970c.exe	WScript.exe
PID 2512 wrote to memory of 532	2512	2becacc54640ee85368060f50cdf970c.exe	WScript.exe
PID 2512 wrote to memory of 532	2512	2becacc54640ee85368060f50cdf970c.exe	WScript.exe
PID 2512 wrote to memory of 532	2512	2becacc54640ee85368060f50cdf970c.exe	WScript.exe
PID 2512 wrote to memory of 2252	2512	2becacc54640ee85368060f50cdf970c.exe	RegAsm.exe
PID 2512 wrote to memory of 2252	2512	2becacc54640ee85368060f50cdf970c.exe	RegAsm.exe
PID 2512 wrote to memory of 2252	2512	2becacc54640ee85368060f50cdf970c.exe	RegAsm.exe
PID 2512 wrote to memory of 2252	2512	2becacc54640ee85368060f50cdf970c.exe	RegAsm.exe
PID 2512 wrote to memory of 2252	2512	2becacc54640ee85368060f50cdf970c.exe	RegAsm.exe
PID 2512 wrote to memory of 2252	2512	2becacc54640ee85368060f50cdf970c.exe	RegAsm.exe
PID 2512 wrote to memory of 2252	2512	2becacc54640ee85368060f50cdf970c.exe	RegAsm.exe
PID 2512 wrote to memory of 2252	2512	2becacc54640ee85368060f50cdf970c.exe	RegAsm.exe
PID 2512 wrote to memory of 2252	2512	2becacc54640ee85368060f50cdf970c.exe	RegAsm.exe
PID 2512 wrote to memory of 2252	2512	2becacc54640ee85368060f50cdf970c.exe	RegAsm.exe
PID 532 wrote to memory of 1916	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 1916	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 1916	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 1916	532	WScript.exe	powershell.exe
PID 2512 wrote to memory of 2252	2512	2becacc54640ee85368060f50cdf970c.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe
"C:\Users\Admin\AppData\Local\Temp\2becacc54640ee85368060f50cdf970c.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Enobllqetjhztazrykyqe.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\JavaUpdate\JavaUpdate.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Enobllqetjhztazrykyqe.vbs
Filesize
149B

MD5
75fda8189e60e05655aea55fe68591c0

SHA1
de2177e12403c59f81d278497a387089ddd10d73

SHA256
cf8322af201e7b0f5d5b2b93c0df541c8785436ebdf04a32addc46b13caf81c5

SHA512
1bc581cbe6ba2f7f9a419bdb9b582ec5585d5cdfd8e245cab19c269d2bd4ecbc151cd98996b8d5f330304fda243c4a13388f1c601111dbab59fd0ad35e5ea647

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1916-2429-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/1916-2430-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/1916-2433-0x0000000073EF0000-0x000000007449B000-memory.dmp

Filesize
5.7MB

Download
memory/1916-2432-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/1916-2431-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/2252-2426-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2252-2444-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2512-52-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-66-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-6-0x0000000000850000-0x00000000008C8000-memory.dmp

Filesize
480KB

Download
memory/2512-8-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-10-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-7-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-12-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-14-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-16-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-18-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-20-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-30-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-46-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-50-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-54-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-4-0x0000000005CD0000-0x0000000005E80000-memory.dmp

Filesize
1.7MB

Download
memory/2512-56-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-58-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-60-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-70-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-68-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-5-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/2512-64-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-62-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-48-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-44-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-42-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-40-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-38-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-36-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-34-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-32-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-28-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-26-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-3-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-2-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/2512-0-0x0000000000E50000-0x0000000001010000-memory.dmp

Filesize
1.8MB

Download
memory/2512-1-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-24-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-22-0x0000000000850000-0x00000000008C1000-memory.dmp

Filesize
452KB

Download
memory/2512-2422-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads