bitrat | c2e1450509092251b7376c9d4acd0636b41c19060591c0ef6c3bb58ab7e49ee0

General

Target

814f22a67e6d2046f532f973f197c649.exe
Size

2.5MB
MD5

814f22a67e6d2046f532f973f197c649
SHA1

049bdddb3349ecf80c079a38297ee442190a38ad
SHA256

c2e1450509092251b7376c9d4acd0636b41c19060591c0ef6c3bb58ab7e49ee0
SHA512

696315f90cefdec65e8c2a4ca2d8f9b79fc4dce5f0bf186dd50bca398c5e9f9ea435232de639a3847460ce4331d85535a433ce7c07518977b2931ffcee6f326b
SSDEEP

49152:R6XZx5c96civqfPao3Hwa1VDhkYKt457bjG48GrbcE+SER:R6pxepiuR3Kt4Ra4N+1

Score

10^/10

bitrat zgrat persistence rat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

179.43.141.103:1234

Attributes

communication_password
dc647eb65e6711e155375218212b3964
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1596-10-0x0000000007F20000-0x0000000007F88000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-11-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-12-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-14-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-16-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-18-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-20-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-22-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-24-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-26-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-28-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-30-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-32-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-34-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-36-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-38-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-40-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-42-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-44-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-46-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-48-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-50-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-52-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-54-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-56-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-58-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-60-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-62-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-64-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-66-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-68-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-70-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-72-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1
behavioral2/memory/1596-74-0x0000000007F20000-0x0000000007F82000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

814f22a67e6d2046f532f973f197c649.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvidiaShare = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Nvidia\\NvidiaShare.exe\""	814f22a67e6d2046f532f973f197c649.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

814f22a67e6d2046f532f973f197c649.exe

pid	process
5052	814f22a67e6d2046f532f973f197c649.exe
5052	814f22a67e6d2046f532f973f197c649.exe
5052	814f22a67e6d2046f532f973f197c649.exe
5052	814f22a67e6d2046f532f973f197c649.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

814f22a67e6d2046f532f973f197c649.exe

description pid process target process

PID 1596 set thread context of 5052 1596 814f22a67e6d2046f532f973f197c649.exe 814f22a67e6d2046f532f973f197c649.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

814f22a67e6d2046f532f973f197c649.exe

pid process

1596 814f22a67e6d2046f532f973f197c649.exe
1596 814f22a67e6d2046f532f973f197c649.exe

description	pid	process	target process
PID 1596 set thread context of 5052	1596	814f22a67e6d2046f532f973f197c649.exe	814f22a67e6d2046f532f973f197c649.exe

pid	process
1596	814f22a67e6d2046f532f973f197c649.exe
1596	814f22a67e6d2046f532f973f197c649.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

814f22a67e6d2046f532f973f197c649.exe814f22a67e6d2046f532f973f197c649.exe

description	pid	process
Token: SeDebugPrivilege	1596	814f22a67e6d2046f532f973f197c649.exe
Token: SeShutdownPrivilege	5052	814f22a67e6d2046f532f973f197c649.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

814f22a67e6d2046f532f973f197c649.exe

pid process

5052 814f22a67e6d2046f532f973f197c649.exe
5052 814f22a67e6d2046f532f973f197c649.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

814f22a67e6d2046f532f973f197c649.exe

description	pid	process	target process
PID 1596 wrote to memory of 5052	1596	814f22a67e6d2046f532f973f197c649.exe	814f22a67e6d2046f532f973f197c649.exe
PID 1596 wrote to memory of 5052	1596	814f22a67e6d2046f532f973f197c649.exe	814f22a67e6d2046f532f973f197c649.exe
PID 1596 wrote to memory of 5052	1596	814f22a67e6d2046f532f973f197c649.exe	814f22a67e6d2046f532f973f197c649.exe
PID 1596 wrote to memory of 5052	1596	814f22a67e6d2046f532f973f197c649.exe	814f22a67e6d2046f532f973f197c649.exe
PID 1596 wrote to memory of 5052	1596	814f22a67e6d2046f532f973f197c649.exe	814f22a67e6d2046f532f973f197c649.exe
PID 1596 wrote to memory of 5052	1596	814f22a67e6d2046f532f973f197c649.exe	814f22a67e6d2046f532f973f197c649.exe
PID 1596 wrote to memory of 5052	1596	814f22a67e6d2046f532f973f197c649.exe	814f22a67e6d2046f532f973f197c649.exe
PID 1596 wrote to memory of 5052	1596	814f22a67e6d2046f532f973f197c649.exe	814f22a67e6d2046f532f973f197c649.exe
PID 1596 wrote to memory of 5052	1596	814f22a67e6d2046f532f973f197c649.exe	814f22a67e6d2046f532f973f197c649.exe
PID 1596 wrote to memory of 5052	1596	814f22a67e6d2046f532f973f197c649.exe	814f22a67e6d2046f532f973f197c649.exe
PID 1596 wrote to memory of 5052	1596	814f22a67e6d2046f532f973f197c649.exe	814f22a67e6d2046f532f973f197c649.exe

C:\Users\Admin\AppData\Local\Temp\814f22a67e6d2046f532f973f197c649.exe
"C:\Users\Admin\AppData\Local\Temp\814f22a67e6d2046f532f973f197c649.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\814f22a67e6d2046f532f973f197c649.exe
C:\Users\Admin\AppData\Local\Temp\814f22a67e6d2046f532f973f197c649.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-0-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/1596-1-0x0000000000B00000-0x0000000000D80000-memory.dmp

Filesize
2.5MB

Download
memory/1596-2-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/1596-3-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/1596-4-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/1596-5-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/1596-6-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/1596-7-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/1596-8-0x00000000072D0000-0x00000000074DA000-memory.dmp

Filesize
2.0MB

Download
memory/1596-9-0x0000000007560000-0x00000000075D6000-memory.dmp

Filesize
472KB

Download
memory/1596-10-0x0000000007F20000-0x0000000007F88000-memory.dmp

Filesize
416KB

Download
memory/1596-11-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-12-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-14-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-16-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-18-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-20-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-22-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-24-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-26-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-28-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-30-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-32-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-34-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-36-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-38-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-40-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-42-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-44-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-46-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-48-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-50-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-52-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-54-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-56-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-58-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-60-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-62-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-64-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-66-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-68-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-70-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-72-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-74-0x0000000007F20000-0x0000000007F82000-memory.dmp

Filesize
392KB

Download
memory/1596-1977-0x0000000008100000-0x000000000811E000-memory.dmp

Filesize
120KB

Download
memory/1596-1983-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/5052-1984-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/5052-1986-0x00000000747B0000-0x00000000747E9000-memory.dmp

Filesize
228KB

Download
memory/5052-1994-0x0000000074B30000-0x0000000074B69000-memory.dmp

Filesize
228KB

Download
memory/5052-1995-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/5052-1998-0x0000000074B30000-0x0000000074B69000-memory.dmp

Filesize
228KB

Download
memory/5052-2001-0x0000000074B30000-0x0000000074B69000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads