Overview

overview

10

Static

static

3

586f79d31e...12.exe

windows7-x64

10

586f79d31e...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2024 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    586f79d31e3b60f3737c247810e56612.exe

  • Size

    1.8MB

  • MD5

    586f79d31e3b60f3737c247810e56612

  • SHA1

    ec148bed94d3a4e9dabe517533a74b6021d02fef

  • SHA256

    bf6b69cb7063d748e6404300ed8b587473b20b2239605862ccbec909bccf7485

  • SHA512

    0c72552226bebd0b71e789a875693fd157c3071e14ca5abebdb54e1d6cddb326be0db3a7c37957ab0b1a1cf090e3784c09e5085c1e322e16e9984c5e9af5142b

  • SSDEEP

    49152:V2GnkYpnt6j4Va7ep3sQDHDdtf4NN3cpbV:Vk0y4VoeN1DLfiKbV

Score
10/10
bitratzgratpersistencerattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

eter102.dvrlists.com:3050

Attributes
  • communication_password

    fea0f7015af40ae69a386f06f28a8d31

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
    "C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:460
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3476
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ycpntjpyqzgdwajef.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3136
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\outlook.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:752
    • C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
      C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetWindowsHookEx
      PID:4204

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    0774a05ce5ee4c1af7097353c9296c62

    SHA1

    658ff96b111c21c39d7ad5f510fb72f9762114bb

    SHA256

    d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

    SHA512

    104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    20KB

    MD5

    5b1ee9554b62a707a61e0ac7bb847b32

    SHA1

    c1d1ec7a74de9d34712dde2f0b28205b92230985

    SHA256

    42078ab3e14d24babb39b4b2151926a93190d5c4cd07667b3c24a228cdc3c3dd

    SHA512

    8003359d4549133e292a0dd797a9837a92a01c1913abc93ca8b5b1e17bb02760dbc668a50775f84ab09f846738a0c52839b03bc8a104f59cc07804fa20bf2ff4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_Ycpntjpyqzgdwajef.vbs
    Filesize

    137B

    MD5

    41c8a8551ff6fc7a2b9aadcff976ca0f

    SHA1

    444db8be2af0b1128229ac46e4963e0570159c3c

    SHA256

    bc147b5a209f5db13fa86ce6906be0d4dfec76469af3f304d490f10443cf5df5

    SHA512

    b52b716c3827a20d9298a32c8243f8e506c77c4be10e29e39a17ba303d0c65d70e257ab4f1c7368e99608c53ec12e6a1e7287e3d644df1f4cdbc539a501763c8

    Download Submit
  • memory/460-28-0x0000000006340000-0x0000000006362000-memory.dmp
    Filesize

    136KB

    Download
  • memory/460-12-0x00000000056A0000-0x0000000005706000-memory.dmp
    Filesize

    408KB

    Download
  • memory/460-25-0x0000000005E40000-0x0000000005E8C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/460-9-0x0000000002490000-0x00000000024A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/460-27-0x00000000062F0000-0x000000000630A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/460-13-0x00000000057C0000-0x0000000005826000-memory.dmp
    Filesize

    408KB

    Download
  • memory/460-23-0x0000000005930000-0x0000000005C84000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/460-29-0x0000000008010000-0x000000000868A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/460-24-0x0000000005DF0000-0x0000000005E0E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/460-32-0x0000000074D60000-0x0000000075510000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/460-11-0x0000000005580000-0x00000000055A2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/460-8-0x0000000002490000-0x00000000024A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/460-7-0x0000000074D60000-0x0000000075510000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/460-6-0x0000000002520000-0x0000000002556000-memory.dmp
    Filesize

    216KB

    Download
  • memory/460-26-0x0000000006D90000-0x0000000006E26000-memory.dmp
    Filesize

    600KB

    Download
  • memory/460-10-0x0000000004F20000-0x0000000005548000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/752-2409-0x0000000005090000-0x00000000050A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/752-2440-0x0000000007AB0000-0x0000000007AC4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/752-2435-0x0000000005090000-0x00000000050A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/752-2437-0x00000000078E0000-0x00000000078EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/752-2422-0x0000000007540000-0x0000000007572000-memory.dmp
    Filesize

    200KB

    Download
  • memory/752-2423-0x0000000070C00000-0x0000000070C4C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/752-2438-0x0000000007A70000-0x0000000007A81000-memory.dmp
    Filesize

    68KB

    Download
  • memory/752-2441-0x0000000007BB0000-0x0000000007BCA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/752-2434-0x0000000005090000-0x00000000050A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/752-2433-0x0000000006B00000-0x0000000006B1E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/752-2439-0x0000000007AA0000-0x0000000007AAE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/752-2436-0x00000000077C0000-0x0000000007863000-memory.dmp
    Filesize

    652KB

    Download
  • memory/752-2407-0x0000000074DE0000-0x0000000075590000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/752-2421-0x0000000006AB0000-0x0000000006AFC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/752-2408-0x0000000005090000-0x00000000050A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/752-2419-0x0000000005E20000-0x0000000006174000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/752-2444-0x0000000074DE0000-0x0000000075590000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/752-2442-0x0000000007B90000-0x0000000007B98000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1392-92-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-106-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-102-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-100-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-98-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-96-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-94-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-2-0x00000000052C0000-0x0000000005864000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1392-88-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-86-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-84-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-82-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-80-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-78-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-76-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-74-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-70-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-68-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-66-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-64-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-62-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-60-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-58-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-56-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-54-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-53-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-51-0x00000000060C0000-0x0000000006274000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1392-104-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-1-0x0000000000230000-0x0000000000402000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1392-2405-0x0000000074D60000-0x0000000075510000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1392-108-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-112-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-114-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-116-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-110-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-90-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-72-0x0000000005FE0000-0x0000000006052000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1392-52-0x0000000005FE0000-0x0000000006058000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1392-0-0x0000000074D60000-0x0000000075510000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1392-48-0x0000000004D80000-0x0000000004D90000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1392-47-0x0000000074D60000-0x0000000075510000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1392-3-0x0000000004DF0000-0x0000000004E82000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1392-4-0x0000000004D80000-0x0000000004D90000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1392-5-0x0000000004EC0000-0x0000000004ECA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3476-36-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3476-35-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3476-34-0x0000000074D60000-0x0000000075510000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3476-50-0x0000000074D60000-0x0000000075510000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4204-2406-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/4204-2446-0x0000000074C70000-0x0000000074CA9000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4204-2454-0x0000000075010000-0x0000000075049000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4204-2455-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/4204-2458-0x0000000075010000-0x0000000075049000-memory.dmp
    Filesize

    228KB

    Download
  • memory/4204-2461-0x0000000075010000-0x0000000075049000-memory.dmp
    Filesize

    228KB

    Download