bitrat | 6d24e6ecd6bf6ffd18a68f7c778948f91a7246b1d6f5edfd37c35906a0560993

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4016119ba57601bc543f501c4527d1a5.exe
Size

2.2MB
MD5

4016119ba57601bc543f501c4527d1a5
SHA1

8a100cc045ffba3b26da65854693dbf16bd1c2e8
SHA256

6d24e6ecd6bf6ffd18a68f7c778948f91a7246b1d6f5edfd37c35906a0560993
SHA512

d51eec651c5135aee209259d7abd72d75c497777a87339087e71c1ddea571eab04cb667c7cd9f10eb74ae567adcfc37929ebe91f92452fece464daaa7b30aab1
SSDEEP

49152:aaN8XyxfaWcko3MfUJtCqVphOqlpWy3aEoBOvHubP9vZqJCSxCyULta+sCcqUB7E:B8XyxfaWKM8fgqlpnEO2Zcwny5Lqk7CK

Score

10^/10

bitrat zgrat rat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

firewall.publicvm.com:25874

Attributes

communication_password
a20ba4fb329f7dc66c0dd3562e9f9984
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/1720-4-0x0000000002380000-0x0000000002400000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-6-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-5-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-10-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-22-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-46-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-68-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-66-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-64-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-62-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-60-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-58-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-56-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-54-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-52-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-50-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-48-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-44-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-42-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-40-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-38-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-36-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-34-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-32-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-30-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-28-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-26-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-24-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-20-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-18-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-16-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-14-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-12-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-8-0x0000000002380000-0x00000000023FA000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2688	4016119ba57601bc543f501c4527d1a5.exe
2688	4016119ba57601bc543f501c4527d1a5.exe
2688	4016119ba57601bc543f501c4527d1a5.exe
2688	4016119ba57601bc543f501c4527d1a5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 2688	1720	4016119ba57601bc543f501c4527d1a5.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1720	4016119ba57601bc543f501c4527d1a5.exe
1720	4016119ba57601bc543f501c4527d1a5.exe
3036	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	4016119ba57601bc543f501c4527d1a5.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2688	4016119ba57601bc543f501c4527d1a5.exe
Token: SeShutdownPrivilege	2688	4016119ba57601bc543f501c4527d1a5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2688	4016119ba57601bc543f501c4527d1a5.exe
2688	4016119ba57601bc543f501c4527d1a5.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2904	1720	4016119ba57601bc543f501c4527d1a5.exe	31
PID 1720 wrote to memory of 2904	1720	4016119ba57601bc543f501c4527d1a5.exe	31
PID 1720 wrote to memory of 2904	1720	4016119ba57601bc543f501c4527d1a5.exe	31
PID 1720 wrote to memory of 2904	1720	4016119ba57601bc543f501c4527d1a5.exe	31
PID 2904 wrote to memory of 3036	2904	WScript.exe	30
PID 2904 wrote to memory of 3036	2904	WScript.exe	30
PID 2904 wrote to memory of 3036	2904	WScript.exe	30
PID 2904 wrote to memory of 3036	2904	WScript.exe	30
PID 1720 wrote to memory of 2688	1720	4016119ba57601bc543f501c4527d1a5.exe	28
PID 1720 wrote to memory of 2688	1720	4016119ba57601bc543f501c4527d1a5.exe	28
PID 1720 wrote to memory of 2688	1720	4016119ba57601bc543f501c4527d1a5.exe	28
PID 1720 wrote to memory of 2688	1720	4016119ba57601bc543f501c4527d1a5.exe	28
PID 1720 wrote to memory of 2688	1720	4016119ba57601bc543f501c4527d1a5.exe	28
PID 1720 wrote to memory of 2688	1720	4016119ba57601bc543f501c4527d1a5.exe	28
PID 1720 wrote to memory of 2688	1720	4016119ba57601bc543f501c4527d1a5.exe	28
PID 1720 wrote to memory of 2688	1720	4016119ba57601bc543f501c4527d1a5.exe	28
PID 1720 wrote to memory of 2688	1720	4016119ba57601bc543f501c4527d1a5.exe	28
PID 1720 wrote to memory of 2688	1720	4016119ba57601bc543f501c4527d1a5.exe	28
PID 1720 wrote to memory of 2688	1720	4016119ba57601bc543f501c4527d1a5.exe	28
PID 1720 wrote to memory of 2688	1720	4016119ba57601bc543f501c4527d1a5.exe	28

C:\Users\Admin\AppData\Local\Temp\4016119ba57601bc543f501c4527d1a5.exe
"C:\Users\Admin\AppData\Local\Temp\4016119ba57601bc543f501c4527d1a5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\4016119ba57601bc543f501c4527d1a5.exe
  C:\Users\Admin\AppData\Local\Temp\4016119ba57601bc543f501c4527d1a5.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Rwxjsmgul.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NVIDIA\nvcontainer.exe'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-40-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-5-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-2-0x0000000004F40000-0x0000000004F80000-memory.dmp

Filesize
256KB

Download
memory/1720-3-0x0000000008170000-0x0000000008386000-memory.dmp

Filesize
2.1MB

Download
memory/1720-4-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/1720-6-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-38-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-10-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-22-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-46-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-68-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-36-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-64-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-62-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-60-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-58-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-56-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-54-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-52-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-50-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-1-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-44-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-42-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-450-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-48-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-0-0x0000000000BD0000-0x0000000000E08000-memory.dmp

Filesize
2.2MB

Download
memory/1720-66-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-34-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-32-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-30-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-28-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-26-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-24-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-20-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-18-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-16-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-14-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-12-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-8-0x0000000002380000-0x00000000023FA000-memory.dmp

Filesize
488KB

Download
memory/1720-2447-0x0000000004F40000-0x0000000004F80000-memory.dmp

Filesize
256KB

Download
memory/1720-2448-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2688-2449-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2688-2466-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/3036-2456-0x0000000002A30000-0x0000000002A70000-memory.dmp

Filesize
256KB

Download
memory/3036-2455-0x0000000002A30000-0x0000000002A70000-memory.dmp

Filesize
256KB

Download
memory/3036-2454-0x0000000002A30000-0x0000000002A70000-memory.dmp

Filesize
256KB

Download
memory/3036-2453-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/3036-2452-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/3036-2457-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download