bitrat | 6d7fac5d7bfe833eb0756a174ceb9ea8280cd3f9858215924284af1b559bd81f

Analysis

max time kernel
1s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

537d313f3dfe75d7a9d4f36f80cce049.exe
Size

1.8MB
MD5

537d313f3dfe75d7a9d4f36f80cce049
SHA1

a9d34d4ef62afbeed8f74c18c212e2c1d4c3f7cb
SHA256

6d7fac5d7bfe833eb0756a174ceb9ea8280cd3f9858215924284af1b559bd81f
SHA512

c4b698a6058f935c1db07ac92ae5e39a2e90f9e07d536ab2b6045ca539115bd1f5c7088f51d12a9edaab76befc41b0e8584a2cef4c1f906366d0a09687bbea9c
SSDEEP

49152:pAESWFubG04k1ImcRlJtquEwR/r28SJ4tIMBegTbV:MZGXk12nt5Fr28Sqt7UgTbV

Score

10^/10

bitrat zgrat rat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

eter102.dvrlists.com:3050

Attributes

communication_password
fea0f7015af40ae69a386f06f28a8d31
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2684-51-0x00000000060A0000-0x0000000006116000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-65-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-83-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-107-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-115-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-113-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-111-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-109-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-105-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-103-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-101-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-99-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-97-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-95-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-93-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-91-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-89-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-87-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-85-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-81-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-79-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-77-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-75-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-73-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-71-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-69-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-67-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-63-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-61-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-59-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-57-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-55-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-53-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1
behavioral2/memory/2684-52-0x00000000060A0000-0x0000000006110000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3244-2387-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
"C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe"
1⤵
PID:2684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
2⤵
PID:1576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
2⤵
PID:952

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Kthavoimchnr.vbs"
2⤵
PID:1576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\outlook.exe'
3⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
C:\Users\Admin\AppData\Local\Temp\537d313f3dfe75d7a9d4f36f80cce049.exe
2⤵
PID:3244

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
memory/952-2376-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/952-34-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/952-35-0x00000000030A0000-0x00000000030B0000-memory.dmp

Filesize
64KB

Download
memory/952-43-0x0000000006340000-0x0000000006694000-memory.dmp

Filesize
3.3MB

Download
memory/952-36-0x00000000030A0000-0x00000000030B0000-memory.dmp

Filesize
64KB

Download
memory/1576-9-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/1576-10-0x0000000004DC0000-0x00000000053E8000-memory.dmp

Filesize
6.2MB

Download
memory/1576-12-0x0000000004BC0000-0x0000000004C26000-memory.dmp

Filesize
408KB

Download
memory/1576-23-0x0000000005660000-0x00000000059B4000-memory.dmp

Filesize
3.3MB

Download
memory/1576-13-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/1576-11-0x0000000004B20000-0x0000000004B42000-memory.dmp

Filesize
136KB

Download
memory/1576-24-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

Filesize
120KB

Download
memory/1576-25-0x0000000005B20000-0x0000000005B6C000-memory.dmp

Filesize
304KB

Download
memory/1576-8-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/1576-7-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/1576-6-0x0000000000D50000-0x0000000000D86000-memory.dmp

Filesize
216KB

Download
memory/1576-28-0x0000000006010000-0x0000000006032000-memory.dmp

Filesize
136KB

Download
memory/1576-27-0x0000000005FC0000-0x0000000005FDA000-memory.dmp

Filesize
104KB

Download
memory/1576-26-0x00000000060A0000-0x0000000006136000-memory.dmp

Filesize
600KB

Download
memory/1576-29-0x0000000007D50000-0x00000000083CA000-memory.dmp

Filesize
6.5MB

Download
memory/1576-32-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2684-91-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-67-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-4-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2684-37-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2684-3-0x0000000004ED0000-0x0000000004F62000-memory.dmp

Filesize
584KB

Download
memory/2684-2-0x0000000005480000-0x0000000005A24000-memory.dmp

Filesize
5.6MB

Download
memory/2684-49-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2684-51-0x00000000060A0000-0x0000000006116000-memory.dmp

Filesize
472KB

Download
memory/2684-65-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-83-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-107-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-115-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-113-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-111-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-109-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-105-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-103-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-101-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-99-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-97-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-95-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-93-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-1-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/2684-89-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-87-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-85-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-81-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-79-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-77-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-75-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-73-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-71-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-69-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-5-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/2684-63-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-61-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-59-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-57-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-55-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-53-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-52-0x00000000060A0000-0x0000000006110000-memory.dmp

Filesize
448KB

Download
memory/2684-50-0x0000000006140000-0x00000000062F2000-memory.dmp

Filesize
1.7MB

Download
memory/2684-0-0x00000000002A0000-0x000000000046A000-memory.dmp

Filesize
1.8MB

Download
memory/2684-2388-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3244-2387-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3244-2444-0x0000000075470000-0x00000000754A9000-memory.dmp

Filesize
228KB

Download
memory/3244-2441-0x0000000075470000-0x00000000754A9000-memory.dmp

Filesize
228KB

Download
memory/3244-2438-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/3244-2437-0x0000000075470000-0x00000000754A9000-memory.dmp

Filesize
228KB

Download
memory/3244-2429-0x00000000750F0000-0x0000000075129000-memory.dmp

Filesize
228KB

Download
memory/3736-2406-0x00000000077A0000-0x00000000077D2000-memory.dmp

Filesize
200KB

Download
memory/3736-2423-0x0000000007B20000-0x0000000007B34000-memory.dmp

Filesize
80KB

Download
memory/3736-2418-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

Filesize
64KB

Download
memory/3736-2417-0x0000000007760000-0x000000000777E000-memory.dmp

Filesize
120KB

Download
memory/3736-2407-0x0000000071080000-0x00000000710CC000-memory.dmp

Filesize
304KB

Download
memory/3736-2420-0x0000000007960000-0x000000000796A000-memory.dmp

Filesize
40KB

Download
memory/3736-2405-0x000000007F000000-0x000000007F010000-memory.dmp

Filesize
64KB

Download
memory/3736-2421-0x0000000007AD0000-0x0000000007AE1000-memory.dmp

Filesize
68KB

Download
memory/3736-2422-0x0000000007B10000-0x0000000007B1E000-memory.dmp

Filesize
56KB

Download
memory/3736-2419-0x0000000007830000-0x00000000078D3000-memory.dmp

Filesize
652KB

Download
memory/3736-2425-0x0000000007C00000-0x0000000007C08000-memory.dmp

Filesize
32KB

Download
memory/3736-2424-0x0000000007C10000-0x0000000007C2A000-memory.dmp

Filesize
104KB

Download
memory/3736-2427-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/3736-2403-0x0000000006610000-0x000000000665C000-memory.dmp

Filesize
304KB

Download
memory/3736-2389-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/3736-2401-0x0000000006150000-0x00000000064A4000-memory.dmp

Filesize
3.3MB

Download
memory/3736-2391-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

Filesize
64KB

Download
memory/3736-2390-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

Filesize
64KB

Download