Overview

overview

10

Static

static

3

Exmip.exe

windows7-x64

10

Exmip.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-02-2024 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Exmip.exe

  • Size

    303KB

  • MD5

    05c5742158cb40afe07e715fb171adcf

  • SHA1

    3ed365cd79b36a6ca50a5d45f4c210b4b6f027d4

  • SHA256

    6e89b0c8f8078991887ba81a7e60b561b71170bef3a2440e3932d6b5293d0a07

  • SHA512

    646b3bfc0340b3372a0aee475cbad92ce44666958bb6e546b8dbc1e12a38ac9fc691bff6225e10a7ada6392067d31c0608929a92f7296b99ec37b3c276f08ce4

  • SSDEEP

    6144:7w1zfkC0CDpPIQuvryFS3Ltp4mZnOous7U4UUU3UUUs9rOA:7wxfkCPKQuToS3zZnBuiU4UUU3UUUca

Score
10/10
bitratzgratpersistencerattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

103.153.182.247:6161

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • install_dir

    Install path

  • install_file

    Install name

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Exmip.exe
    "C:\Users\Admin\AppData\Local\Temp\Exmip.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Users\Admin\AppData\Local\Temp\Exmip.exe
      C:\Users\Admin\AppData\Local\Temp\Exmip.exe
      2⤵
        PID:1072
      • C:\Users\Admin\AppData\Local\Temp\Exmip.exe
        C:\Users\Admin\AppData\Local\Temp\Exmip.exe
        2⤵
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1368
      • C:\Users\Admin\AppData\Local\Temp\Exmip.exe
        C:\Users\Admin\AppData\Local\Temp\Exmip.exe
        2⤵
          PID:4928
        • C:\Users\Admin\AppData\Local\Temp\Exmip.exe
          C:\Users\Admin\AppData\Local\Temp\Exmip.exe
          2⤵
            PID:560
          • C:\Users\Admin\AppData\Local\Temp\Exmip.exe
            C:\Users\Admin\AppData\Local\Temp\Exmip.exe
            2⤵
              PID:5028

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1368-1133-0x0000000000400000-0x00000000007CE000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/1368-1135-0x0000000075130000-0x0000000075169000-memory.dmp

            Filesize

            228KB

            Download

          • memory/4888-41-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-2-0x0000000005670000-0x0000000005680000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4888-4-0x0000000006810000-0x0000000006E28000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/4888-5-0x0000000006360000-0x000000000646A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/4888-6-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-7-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-9-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-11-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-13-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-15-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-17-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-19-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-21-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-23-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-25-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-27-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-0-0x0000000000BE0000-0x0000000000C32000-memory.dmp

            Filesize

            328KB

            Download

          • memory/4888-31-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-33-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-35-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-37-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-39-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-45-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-3-0x0000000005F80000-0x00000000061EE000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-29-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-47-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-49-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-51-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-53-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-55-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-57-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-59-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-61-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-63-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-65-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-67-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-69-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-1120-0x0000000006290000-0x0000000006291000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4888-1121-0x0000000007FC0000-0x00000000081B6000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/4888-1122-0x0000000003070000-0x00000000030BC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4888-1123-0x0000000075220000-0x00000000759D0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4888-1124-0x0000000005670000-0x0000000005680000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4888-1125-0x0000000007570000-0x0000000007B14000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4888-1132-0x0000000075220000-0x00000000759D0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4888-43-0x0000000005F80000-0x00000000061E7000-memory.dmp

            Filesize

            2.4MB

            Download

          • memory/4888-1-0x0000000075220000-0x00000000759D0000-memory.dmp

            Filesize

            7.7MB

            Download