bitrat | a6c9311a9434e428bec6dd1b01e2e4033d4f8685cae164aa14e335ba0a176d09

Analysis

max time kernel
0s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

496d5fc129c98a075ea39863bd8938a2.exe
Size

4.2MB
MD5

496d5fc129c98a075ea39863bd8938a2
SHA1

17ea2c2f785749550044a4fe055163216f47b76c
SHA256

a6c9311a9434e428bec6dd1b01e2e4033d4f8685cae164aa14e335ba0a176d09
SHA512

567fa49ceced374a4123a7441014c1da325973d763f1222b4631b01c26ac7163330fae7a1ba08d73a9e68b4830e4320a17523d48ccd786f86b087a3d3094a2ad
SSDEEP

49152:36PaeNTOyzL4EXgpSTeCrkT04991Gexjmo1G3q99C336nGhl52LQaRV8/qz+qq2E:kagTOb4TGljhFmU/eqq2Ltk/FqqibWT7

Score

10^/10

bitrat zgrat rat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

firewall.publicvm.com:25874

Attributes

communication_password
a20ba4fb329f7dc66c0dd3562e9f9984
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 29 IoCs

resource	yara_rule
behavioral2/memory/4844-104-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-124-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-138-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-146-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-154-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-152-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-150-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-148-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-144-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-142-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-140-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-136-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-134-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-132-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-130-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-128-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-126-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-122-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-120-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-118-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-114-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-112-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-110-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-108-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-106-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-102-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-98-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-96-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/4844-94-0x0000000005EE0000-0x0000000005F5A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe
"C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe"
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
  "C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe"
  2⤵
  PID:3060
- C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
  "C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif"
  2⤵
  PID:4844
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
    3⤵
    PID:4404
- - C:\Users\Admin\AppData\Local\Temp\Sys.pif
    C:\Users\Admin\AppData\Local\Temp\Sys.pif
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cughlqhdqdvxnicuaztmvn.vbs"
    3⤵
    PID:2912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
1⤵
PID:2344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NVIDIA\nvcontainer.exe'
1⤵
PID:4416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
3208d49ba6636842bd1fbf160895f03a

SHA1
0b467dba6f9c2d4ba92b8316305c268f66091542

SHA256
42be444d765ccf981588d0178c87e27f6e4779159c2801ac5686273f5b9fb32b

SHA512
fc0701993fb6670fe548fae0d079213c32adfa0012106a9606bab10895ad25c5e67faf26fdd55a07a12ab3d53155169c8a8b6cbf7ec1a269ed97be8eceba1182

Download Submit
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

Filesize
92KB

MD5
db839c59eee092b7aadaf7c429e45c32

SHA1
e8be58417dfd4ed4dd110776de843084302f43df

SHA256
e495c5fc9eb8073157995929503522403f160fcf4f3519770185539784bd3684

SHA512
64242febb1bc8941ef4b2fdced4bfa914c06fc7ab96b9e9ffce9aa1913404380999e20f8b0eca3320feecbb9eb37e040339a832915ffa195beb5de9e65b4a56f

Download Submit
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif

Filesize
381KB

MD5
7c6ae5039d34ef48cb0ba0fdc51f8488

SHA1
81078d459d6f1c6dd69564f0d3c1731bf4a2128a

SHA256
a02b1cb427385a59c2afc7cd7d0301836bd3e2118cfa58f3a80660e55c82521b

SHA512
9c458bf95d94a370877be8cb73768d19ee20b4f1cb1e90283cbc95c066f68e30bdaeb35516160e3728c930ad73dbbe5ace076cf9e51924a627a83a20a780e6bc

Download Submit
memory/2344-49-0x0000000002D10000-0x0000000002D20000-memory.dmp

Filesize
64KB

Download
memory/2344-64-0x0000000005F80000-0x00000000062D4000-memory.dmp

Filesize
3.3MB

Download
memory/2344-68-0x0000000006A20000-0x0000000006A3A000-memory.dmp

Filesize
104KB

Download
memory/2344-67-0x0000000007530000-0x00000000075C6000-memory.dmp

Filesize
600KB

Download
memory/2344-47-0x0000000002C50000-0x0000000002C86000-memory.dmp

Filesize
216KB

Download
memory/2344-48-0x00000000732A0000-0x0000000073A50000-memory.dmp

Filesize
7.7MB

Download
memory/2344-86-0x00000000732A0000-0x0000000073A50000-memory.dmp

Filesize
7.7MB

Download
memory/2344-70-0x00000000087B0000-0x0000000008E2A000-memory.dmp

Filesize
6.5MB

Download
memory/2344-50-0x0000000002D10000-0x0000000002D20000-memory.dmp

Filesize
64KB

Download
memory/2344-51-0x0000000005780000-0x0000000005DA8000-memory.dmp

Filesize
6.2MB

Download
memory/2344-54-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/2344-69-0x0000000006A70000-0x0000000006A92000-memory.dmp

Filesize
136KB

Download
memory/2344-53-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/2344-52-0x0000000005480000-0x00000000054A2000-memory.dmp

Filesize
136KB

Download
memory/2344-65-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/2344-66-0x00000000065F0000-0x000000000663C000-memory.dmp

Filesize
304KB

Download
memory/2952-2656-0x00000000753E0000-0x0000000075419000-memory.dmp

Filesize
228KB

Download
memory/2952-2660-0x00000000753E0000-0x0000000075419000-memory.dmp

Filesize
228KB

Download
memory/2952-2657-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2952-2611-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2952-2648-0x0000000075060000-0x0000000075099000-memory.dmp

Filesize
228KB

Download
memory/2952-2663-0x00000000753E0000-0x0000000075419000-memory.dmp

Filesize
228KB

Download
memory/2952-2666-0x00000000753E0000-0x0000000075419000-memory.dmp

Filesize
228KB

Download
memory/3060-31-0x0000024FBB060000-0x0000024FBB0C6000-memory.dmp

Filesize
408KB

Download
memory/3060-38-0x0000024FD5620000-0x0000024FD569C000-memory.dmp

Filesize
496KB

Download
memory/3060-34-0x0000024FBB460000-0x0000024FBB478000-memory.dmp

Filesize
96KB

Download
memory/3060-36-0x00007FFE7A590000-0x00007FFE7B051000-memory.dmp

Filesize
10.8MB

Download
memory/3060-83-0x00007FFE7A590000-0x00007FFE7B051000-memory.dmp

Filesize
10.8MB

Download
memory/3060-40-0x0000024FBB500000-0x0000024FBB510000-memory.dmp

Filesize
64KB

Download
memory/3060-46-0x0000024FBB570000-0x0000024FBB5AC000-memory.dmp

Filesize
240KB

Download
memory/3060-88-0x0000024FBB500000-0x0000024FBB510000-memory.dmp

Filesize
64KB

Download
memory/3060-41-0x0000024FBB4A0000-0x0000024FBB4AA000-memory.dmp

Filesize
40KB

Download
memory/3060-44-0x0000024FBB510000-0x0000024FBB558000-memory.dmp

Filesize
288KB

Download
memory/4404-839-0x00000000732A0000-0x0000000073A50000-memory.dmp

Filesize
7.7MB

Download
memory/4404-73-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/4404-72-0x00000000732A0000-0x0000000073A50000-memory.dmp

Filesize
7.7MB

Download
memory/4416-2642-0x0000000007810000-0x0000000007824000-memory.dmp

Filesize
80KB

Download
memory/4416-2638-0x0000000007530000-0x00000000075D3000-memory.dmp

Filesize
652KB

Download
memory/4416-2643-0x0000000007910000-0x000000000792A000-memory.dmp

Filesize
104KB

Download
memory/4416-2640-0x00000000077D0000-0x00000000077E1000-memory.dmp

Filesize
68KB

Download
memory/4416-2624-0x000000007FA40000-0x000000007FA50000-memory.dmp

Filesize
64KB

Download
memory/4416-2639-0x0000000007650000-0x000000000765A000-memory.dmp

Filesize
40KB

Download
memory/4416-2626-0x0000000075750000-0x000000007579C000-memory.dmp

Filesize
304KB

Download
memory/4416-2636-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/4416-2637-0x0000000006830000-0x000000000684E000-memory.dmp

Filesize
120KB

Download
memory/4416-2644-0x00000000078F0000-0x00000000078F8000-memory.dmp

Filesize
32KB

Download
memory/4416-2625-0x0000000007290000-0x00000000072C2000-memory.dmp

Filesize
200KB

Download
memory/4416-2604-0x00000000732A0000-0x0000000073A50000-memory.dmp

Filesize
7.7MB

Download
memory/4416-2623-0x00000000062F0000-0x000000000633C000-memory.dmp

Filesize
304KB

Download
memory/4416-2617-0x0000000005C00000-0x0000000005F54000-memory.dmp

Filesize
3.3MB

Download
memory/4416-2641-0x0000000007800000-0x000000000780E000-memory.dmp

Filesize
56KB

Download
memory/4416-2609-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/4416-2646-0x00000000732A0000-0x0000000073A50000-memory.dmp

Filesize
7.7MB

Download
memory/4844-152-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-2610-0x00000000732A0000-0x0000000073A50000-memory.dmp

Filesize
7.7MB

Download
memory/4844-120-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-118-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-114-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-112-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-110-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-108-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-106-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-102-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-100-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-98-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-96-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-94-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-92-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-90-0x0000000005EE0000-0x0000000005F60000-memory.dmp

Filesize
512KB

Download
memory/4844-126-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-128-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-42-0x0000000004C60000-0x0000000004C6A000-memory.dmp

Filesize
40KB

Download
memory/4844-130-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-132-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-122-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-134-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-136-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-140-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-142-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-144-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-148-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-150-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-35-0x0000000004BB0000-0x0000000004C42000-memory.dmp

Filesize
584KB

Download
memory/4844-154-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-146-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-138-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-124-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-116-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-104-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-91-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

Filesize
488KB

Download
memory/4844-89-0x0000000006A50000-0x0000000006C64000-memory.dmp

Filesize
2.1MB

Download
memory/4844-87-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4844-71-0x00000000732A0000-0x0000000073A50000-memory.dmp

Filesize
7.7MB

Download
memory/4844-39-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4844-33-0x00000000050C0000-0x0000000005664000-memory.dmp

Filesize
5.6MB

Download
memory/4844-32-0x00000000732A0000-0x0000000073A50000-memory.dmp

Filesize
7.7MB

Download
memory/4844-30-0x00000000000B0000-0x00000000002F4000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads