Overview

overview

10

Static

static

3

75bff99bec...45.exe

windows7-x64

10

75bff99bec...45.exe

windows10-2004-x64

10

Resubmissions

17-04-2024 14:54

240417-r96wzada86 10

17-04-2024 14:54

240417-r95znsee4v 10

17-04-2024 14:54

240417-r943dada82 10

17-04-2024 14:54

240417-r9353sda77 10

17-04-2024 14:54

240417-r93jjsee3x 10

15-04-2024 13:19

240415-qkln3afc75 10

10-04-2024 12:02

240410-n7v5xaeh49 10

10-04-2024 12:02

240410-n7vjdaaa8t 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    75bff99becc32bcbe56efbe7a75f4d45

  • Size

    7.0MB

  • Sample

    240125-2376kaabep

  • MD5

    75bff99becc32bcbe56efbe7a75f4d45

  • SHA1

    81bfcc77809161a5254a27d3d4d30548c96fcd5b

  • SHA256

    8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2

  • SHA512

    940af628585713a16e685eb5251c0b954bc014460cd4ca33226df2ef260f32af56223eaf1c341862fdf1669c6bafb6e7d9c5efbeb5e437ce5e2fd9905beece69

  • SSDEEP

    49152:uW/1GYdVTXN3r3+LXDIDAKpvuh3jwLN6/VNUKIdI9OiKuDbD2yvAkdm5wrgWX+5z:hXkZL/p

Score
10/10
bitratzgratpersistencerattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

obqdy2u226qjiavs42z4z6zgcf6tefsoxaqzjvohmoy7kafdwgqgjkqd.onion:80

Attributes
  • communication_password

    d93b4f1ee6f5b875a4f7fcef966bd09a

  • tor_process

    WinSock

Targets

    • Target

      75bff99becc32bcbe56efbe7a75f4d45

    • Size

      7.0MB

    • MD5

      75bff99becc32bcbe56efbe7a75f4d45

    • SHA1

      81bfcc77809161a5254a27d3d4d30548c96fcd5b

    • SHA256

      8c05da461e90984671ffd87f0e4e28e057cca4d32a0569764dcdcce2d545fac2

    • SHA512

      940af628585713a16e685eb5251c0b954bc014460cd4ca33226df2ef260f32af56223eaf1c341862fdf1669c6bafb6e7d9c5efbeb5e437ce5e2fd9905beece69

    • SSDEEP

      49152:uW/1GYdVTXN3r3+LXDIDAKpvuh3jwLN6/VNUKIdI9OiKuDbD2yvAkdm5wrgWX+5z:hXkZL/p

    Score
    10/10
    zgratpersistenceratbitrattrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Detect ZGRat V1

    • Modifies WinLogon for persistence

      persistence

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks