Overview

overview

10

Static

static

3

814f22a67e...49.exe

windows7-x64

10

814f22a67e...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2024 00:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    814f22a67e6d2046f532f973f197c649.exe

  • Size

    2.5MB

  • MD5

    814f22a67e6d2046f532f973f197c649

  • SHA1

    049bdddb3349ecf80c079a38297ee442190a38ad

  • SHA256

    c2e1450509092251b7376c9d4acd0636b41c19060591c0ef6c3bb58ab7e49ee0

  • SHA512

    696315f90cefdec65e8c2a4ca2d8f9b79fc4dce5f0bf186dd50bca398c5e9f9ea435232de639a3847460ce4331d85535a433ce7c07518977b2931ffcee6f326b

  • SSDEEP

    49152:R6XZx5c96civqfPao3Hwa1VDhkYKt457bjG48GrbcE+SER:R6pxepiuR3Kt4Ra4N+1

Score
10/10
bitratzgratpersistencerattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

179.43.141.103:1234

Attributes
  • communication_password

    dc647eb65e6711e155375218212b3964

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\814f22a67e6d2046f532f973f197c649.exe
    "C:\Users\Admin\AppData\Local\Temp\814f22a67e6d2046f532f973f197c649.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Users\Admin\AppData\Local\Temp\814f22a67e6d2046f532f973f197c649.exe
      C:\Users\Admin\AppData\Local\Temp\814f22a67e6d2046f532f973f197c649.exe
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:5052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1596-0-0x00000000748A0000-0x0000000075050000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1596-1-0x0000000000B00000-0x0000000000D80000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1596-2-0x0000000005E00000-0x00000000063A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1596-3-0x0000000005770000-0x0000000005802000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1596-4-0x0000000005990000-0x00000000059A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1596-5-0x0000000005810000-0x000000000581A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1596-6-0x00000000748A0000-0x0000000075050000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1596-7-0x0000000005990000-0x00000000059A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1596-8-0x00000000072D0000-0x00000000074DA000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1596-9-0x0000000007560000-0x00000000075D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1596-10-0x0000000007F20000-0x0000000007F88000-memory.dmp

    Filesize

    416KB

    Download

  • memory/1596-11-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-12-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-14-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-16-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-18-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-20-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-22-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-24-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-26-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-28-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-30-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-32-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-34-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-36-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-38-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-40-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-42-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-44-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-46-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-48-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-50-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-52-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-54-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-56-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-58-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-60-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-62-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-64-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-66-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-68-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-70-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-72-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-74-0x0000000007F20000-0x0000000007F82000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1596-1977-0x0000000008100000-0x000000000811E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1596-1983-0x00000000748A0000-0x0000000075050000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5052-1984-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/5052-1986-0x00000000747B0000-0x00000000747E9000-memory.dmp

    Filesize

    228KB

    Download

  • memory/5052-1994-0x0000000074B30000-0x0000000074B69000-memory.dmp

    Filesize

    228KB

    Download

  • memory/5052-1995-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/5052-1998-0x0000000074B30000-0x0000000074B69000-memory.dmp

    Filesize

    228KB

    Download

  • memory/5052-2001-0x0000000074B30000-0x0000000074B69000-memory.dmp

    Filesize

    228KB

    Download