Overview

overview

10

Static

static

3

5dcca8cd88...34.exe

windows7-x64

10

5dcca8cd88...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    15-01-2024 18:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5dcca8cd88e96c87d548d21c582e6534.exe

  • Size

    1.7MB

  • MD5

    5dcca8cd88e96c87d548d21c582e6534

  • SHA1

    0715d363f54b89afc0a2e3b685ffa45cf76fcbeb

  • SHA256

    2b0e5a007f1b13a5f5380718ba98c8e00c087315501667d03ebd6bf986205e2b

  • SHA512

    5d48b7f2182f440a0201cb4c83f283b3866f9745ff0d2b8b79e2dfbcf68742d0d42a93fdcae680e031c09cdcdf417c40607e62e519adc264383da4a4e74ef2a7

  • SSDEEP

    49152:MZO7NPP6UaRoNqZRTeSSwvA8kfLQ68fkCtgHREBfJXA:CcPP6UaRoNqDeSS6tEQ68fkCuHREBfK

Score
10/10
bitratzgratpersistencerattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

94.237.49.140:2222

Attributes
  • communication_password

    934b535800b1cba8f96a5d72f72f1611

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5dcca8cd88e96c87d548d21c582e6534.exe
    "C:\Users\Admin\AppData\Local\Temp\5dcca8cd88e96c87d548d21c582e6534.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Fqwxizhaqzzkrkb.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\WinRAR\WinRAR.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2444
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\5dcca8cd88e96c87d548d21c582e6534.exe" -Force
      2⤵
      • Deletes itself
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_Fqwxizhaqzzkrkb.vbs
    Filesize

    143B

    MD5

    a005d0cdeced63bd69946fdc567f5790

    SHA1

    2a8f8b628dfb1c122c6a7f6df720bc0b1a4edfa9

    SHA256

    2c1c3db64a15478fabe2013f50ad9ec329b75a10b8054be67f765d9891582c8e

    SHA512

    a4cfd3f0567f9b378b8643fc31350048a3c8d272568104df1e851da4406a72ad61e5865a34a3d0d9a9b3643f2c54a3e96b85362797ebcb747826745ccd38235b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N27W4AQIAQM9RHWN8MK4.temp
    Filesize

    7KB

    MD5

    ce77d1a9ff3f9282cc387bd8dc924653

    SHA1

    6f3650fb3d06dfe1991f405d5c2f85efb5356c68

    SHA256

    40d39783cb6070d6b0c496c3b615f79ad164470ad44f3fff5a5f6bbc53c4430e

    SHA512

    cca5d0aa6f3e8477436920db955c5bfee4fa9e0b426b554564e39b24d7e5c0afe381535ac1df5f558b4d38d531f8478f8a78efb2d3ed1b55e784241135b886fb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RegAsm.exe
    Filesize

    63KB

    MD5

    b58b926c3574d28d5b7fdd2ca3ec30d5

    SHA1

    d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

    SHA256

    6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

    SHA512

    b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

    Download Submit
  • memory/1544-1787-0x0000000073910000-0x0000000073EBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1544-1807-0x0000000073910000-0x0000000073EBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1544-1793-0x00000000025B0000-0x00000000025F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1544-1792-0x0000000073910000-0x0000000073EBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1544-1790-0x00000000025B0000-0x00000000025F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2444-1791-0x0000000073910000-0x0000000073EBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2444-1788-0x0000000073910000-0x0000000073EBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2444-1789-0x00000000027A0000-0x00000000027E0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2444-1794-0x00000000027A0000-0x00000000027E0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2444-1797-0x0000000073910000-0x0000000073EBB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2760-18-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-62-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-22-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-26-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-24-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-32-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-30-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-28-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-34-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-36-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-40-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-38-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-42-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-44-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-46-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-52-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-50-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-54-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-48-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-58-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-56-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-0-0x00000000009B0000-0x0000000000B6C000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2760-60-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-64-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-66-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-68-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-70-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-20-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-12-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-1773-0x0000000074AD0000-0x00000000751BE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2760-14-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-16-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-10-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-8-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-7-0x00000000001D0000-0x0000000000224000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2760-6-0x00000000001D0000-0x000000000022A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/2760-5-0x0000000008910000-0x0000000008AB4000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2760-4-0x00000000023A0000-0x00000000023E0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2760-3-0x00000000023A0000-0x00000000023E0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2760-1-0x0000000074AD0000-0x00000000751BE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2760-2-0x00000000023A0000-0x00000000023E0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2976-1795-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/2976-1808-0x0000000000400000-0x00000000007E4000-memory.dmp
    Filesize

    3.9MB

    Download