Overview

overview

10

Static

static

3

Vnmzbixzwq.exe

windows7-x64

10

Vnmzbixzwq.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2024 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Vnmzbixzwq.exe

  • Size

    124KB

  • MD5

    05b706072a3225cae1d0672917b5116e

  • SHA1

    e7af9b2fbb08636397fdccf414f451104ea6d87c

  • SHA256

    ff013e2b5329423fcd88fd3c161eef481832e9dc19fdfa504539528452945967

  • SHA512

    d5147d93ec3b80c0cfd49afad941097404a8d57c3863e283fe1fa83d42feee30885848cb0bd6093eb4a185b4da8f39e731f27c566aed9ccbb897d1b5abdf4afb

  • SSDEEP

    1536:aXA2oc074SBpgzZpJNqZxR4JQz25CxgkLC1no8OgbcRvFc1lxyyp85hwexlf64gJ:sipgVZEx+Jaxvu1no8OgbcRq1lx9Ua

Score
10/10
bitratzgratpersistencerattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

103.153.182.89:1234

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • install_dir

    Install path

  • install_file

    Install name

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Vnmzbixzwq.exe
    "C:\Users\Admin\AppData\Local\Temp\Vnmzbixzwq.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Users\Admin\AppData\Local\Temp\Vnmzbixzwq.exe
      C:\Users\Admin\AppData\Local\Temp\Vnmzbixzwq.exe
      2⤵
        PID:3012
      • C:\Users\Admin\AppData\Local\Temp\Vnmzbixzwq.exe
        C:\Users\Admin\AppData\Local\Temp\Vnmzbixzwq.exe
        2⤵
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4028
      • C:\Users\Admin\AppData\Local\Temp\Vnmzbixzwq.exe
        C:\Users\Admin\AppData\Local\Temp\Vnmzbixzwq.exe
        2⤵
          PID:4568
        • C:\Users\Admin\AppData\Local\Temp\Vnmzbixzwq.exe
          C:\Users\Admin\AppData\Local\Temp\Vnmzbixzwq.exe
          2⤵
            PID:4744
          • C:\Users\Admin\AppData\Local\Temp\Vnmzbixzwq.exe
            C:\Users\Admin\AppData\Local\Temp\Vnmzbixzwq.exe
            2⤵
              PID:3356

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/964-0-0x00000000007D0000-0x00000000007F6000-memory.dmp
            Filesize

            152KB

            Download
          • memory/964-1-0x0000000074B80000-0x0000000075330000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/964-2-0x0000000002D30000-0x0000000002D40000-memory.dmp
            Filesize

            64KB

            Download
          • memory/964-3-0x0000000005B50000-0x0000000005DB0000-memory.dmp
            Filesize

            2.4MB

            Download
          • memory/964-5-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-4-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-7-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-9-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-11-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-15-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-17-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-13-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-19-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-23-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-21-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-25-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-29-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-27-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-31-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-33-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-37-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-35-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-39-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-41-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-43-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-45-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-49-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-51-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-53-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-47-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-57-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-59-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-61-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-63-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-55-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-67-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-65-0x0000000005B50000-0x0000000005DA9000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/964-936-0x0000000002D20000-0x0000000002D21000-memory.dmp
            Filesize

            4KB

            Download
          • memory/964-938-0x0000000002AB0000-0x0000000002AFC000-memory.dmp
            Filesize

            304KB

            Download
          • memory/964-937-0x0000000007270000-0x0000000007466000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/964-939-0x0000000074B80000-0x0000000075330000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/964-940-0x0000000002D30000-0x0000000002D40000-memory.dmp
            Filesize

            64KB

            Download
          • memory/964-941-0x0000000007A20000-0x0000000007FC4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/964-949-0x0000000074B80000-0x0000000075330000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/4028-948-0x0000000000400000-0x00000000007CE000-memory.dmp
            Filesize

            3.8MB

            Download
          • memory/4028-951-0x0000000074A90000-0x0000000074AC9000-memory.dmp
            Filesize

            228KB

            Download
          • memory/4028-959-0x0000000074E30000-0x0000000074E69000-memory.dmp
            Filesize

            228KB

            Download
          • memory/4028-971-0x0000000000400000-0x00000000007CE000-memory.dmp
            Filesize

            3.8MB

            Download