bitrat | 2b0e5a007f1b13a5f5380718ba98c8e00c087315501667d03ebd6bf986205e2b | Triage

Submit
Reports

Overview

overview

Static

static

3

5dcca8cd88...34.exe

windows7-x64

5dcca8cd88...34.exe

windows10-2004-x64

Sharing

General

Target

5dcca8cd88e96c87d548d21c582e6534
Size

1.7MB
Sample

240115-xab57schdq
MD5

5dcca8cd88e96c87d548d21c582e6534
SHA1

0715d363f54b89afc0a2e3b685ffa45cf76fcbeb
SHA256

2b0e5a007f1b13a5f5380718ba98c8e00c087315501667d03ebd6bf986205e2b
SHA512

5d48b7f2182f440a0201cb4c83f283b3866f9745ff0d2b8b79e2dfbcf68742d0d42a93fdcae680e031c09cdcdf417c40607e62e519adc264383da4a4e74ef2a7
SSDEEP

49152:MZO7NPP6UaRoNqZRTeSSwvA8kfLQ68fkCtgHREBfJXA:CcPP6UaRoNqDeSS6tEQ68fkCuHREBfK

Score

10^/10

bitrat zgrat persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

5dcca8cd88e96c87d548d21c582e6534.exe

Resource

win7-20231215-en

bitrat zgrat persistence rat trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

5dcca8cd88e96c87d548d21c582e6534.exe

Resource

win10v2004-20231215-en

zgrat persistence rat

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

94.237.49.140:2222

Attributes

communication_password
934b535800b1cba8f96a5d72f72f1611
tor_process
tor

Targets

- Target
  
  5dcca8cd88e96c87d548d21c582e6534
- Size
  
  1.7MB
- MD5
  
  5dcca8cd88e96c87d548d21c582e6534
- SHA1
  
  0715d363f54b89afc0a2e3b685ffa45cf76fcbeb
- SHA256
  
  2b0e5a007f1b13a5f5380718ba98c8e00c087315501667d03ebd6bf986205e2b
- SHA512
  
  5d48b7f2182f440a0201cb4c83f283b3866f9745ff0d2b8b79e2dfbcf68742d0d42a93fdcae680e031c09cdcdf417c40607e62e519adc264383da4a4e74ef2a7
- SSDEEP
  
  49152:MZO7NPP6UaRoNqZRTeSSwvA8kfLQ68fkCtgHREBfJXA:CcPP6UaRoNqDeSS6tEQ68fkCuHREBfK
Score

10^/10

bitrat zgrat persistence rat trojan upx
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

bitratzgratpersistencerattrojanupx

behavioral2

zgratpersistencerat

© 2018-2024

Terms | Privacy