Overview

overview

10

Static

static

3

Cvdnacb.exe

windows7-x64

1

Cvdnacb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-02-2024 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cvdnacb.exe

  • Size

    23KB

  • MD5

    50e198816a25e6ceeaf4174413b7d1b3

  • SHA1

    5509191f320424402266c02b9b6352aea32638f7

  • SHA256

    748d3b47d1498c7bbf2205b98e8ed577f95872d980ac06baee0426d1c8b166ed

  • SHA512

    c7149694fdbe892ebd8345970f848c0a54de294792b802dcd262c2e9370a4936dde56cd3184a0269377c9c9ee8c8bef62ae2526842ee1caf84696b64eb08f853

  • SSDEEP

    384:M86Fw68yQDd5DY/5i49Rtj1sgw2bCoTBPmrQSpb+5S/2vHvrPQ:4vkITztmgXdST0PrPQ

Score
10/10
bitratzgratpersistencerattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

103.153.182.247:6161

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • install_dir

    Install path

  • install_file

    Install name

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: RenamesItself 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cvdnacb.exe
    "C:\Users\Admin\AppData\Local\Temp\Cvdnacb.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\Cvdnacb.exe
      C:\Users\Admin\AppData\Local\Temp\Cvdnacb.exe
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1228-0-0x0000000000E80000-0x0000000000E8C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1228-1-0x0000000074A30000-0x00000000751E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1228-2-0x00000000033D0000-0x00000000033E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1228-3-0x0000000006200000-0x000000000646E000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-4-0x0000000006A90000-0x00000000070A8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1228-5-0x00000000065C0000-0x00000000066CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1228-6-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-7-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-9-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-11-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-15-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-13-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-21-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-25-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-23-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-29-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-27-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-19-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-17-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-31-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-33-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-37-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-39-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-41-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-35-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-45-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-43-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-49-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-47-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-51-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-55-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-59-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-57-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-53-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-61-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-63-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-65-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-67-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-69-0x0000000006200000-0x0000000006467000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1228-1120-0x00000000064F0000-0x00000000064F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1228-1121-0x00000000081D0000-0x00000000083C6000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1228-1122-0x00000000019C0000-0x0000000001A0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1228-1123-0x0000000074A30000-0x00000000751E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1228-1124-0x00000000033D0000-0x00000000033E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1228-1125-0x00000000071D0000-0x0000000007774000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1228-1131-0x0000000074A30000-0x00000000751E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4152-1133-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4152-1135-0x0000000074940000-0x0000000074979000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4152-1143-0x0000000074CE0000-0x0000000074D19000-memory.dmp

    Filesize

    228KB

    Download