Overview

overview

10

Static

static

3

aba32a475d...c0.exe

windows7-x64

10

aba32a475d...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-02-2024 10:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aba32a475dcafdf4c6357205803e4cc0.exe

  • Size

    2.0MB

  • MD5

    aba32a475dcafdf4c6357205803e4cc0

  • SHA1

    0d063e81d9b4df0fcf358c24720457f9037cde06

  • SHA256

    704e26dbdebc8b3ad1391f5b9d671f8b9550609455821540151ff70e17bed798

  • SHA512

    04e55bff24005489988e54926afa9addc1b457881525ae1a1cf9a73f05928e7347f906959e1689019c73112c181f6f718118f7630ada8eadfa424bac918cad67

  • SSDEEP

    49152:6fZxU7wsypA6knAgog2u6Fw4teOQBOTe:6TJsyNGAGGekT

Score
10/10
bitratzgratrattrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

saptransmissions.dvrlists.com:8921

Attributes
  • communication_password

    41947ee373454b627c89985d019b597c

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aba32a475dcafdf4c6357205803e4cc0.exe
    "C:\Users\Admin\AppData\Local\Temp\aba32a475dcafdf4c6357205803e4cc0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection Bing.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2556
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cjvdnberkfbwqwrpbjverv.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Adobe\Acrobat Reader DC.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:312
    • C:\Users\Admin\AppData\Local\Temp\aba32a475dcafdf4c6357205803e4cc0.exe
      C:\Users\Admin\AppData\Local\Temp\aba32a475dcafdf4c6357205803e4cc0.exe
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_Cjvdnberkfbwqwrpbjverv.vbs
    Filesize

    191B

    MD5

    729c1e5343a7864d2228d1e4032d3a2c

    SHA1

    0c8666d9318e7cf1acee41338ff89d99c90017e3

    SHA256

    49fcc716f77786e1f71f626ab49927ec5246dece2cb32a214279cd73bba5ee33

    SHA512

    f9aaa14c7d658bcd562a25aa0639a8082b3bf452607f99d4175996b6365b38fa133891b3afdbb8a24953ee7bbbc8ac766db0b820a689af2ca75ea4531de2b7f2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IMBQSCNQLKWINEMMEZTO.temp
    Filesize

    7KB

    MD5

    895e64c519e503d70751c87c6d0ea73d

    SHA1

    ad83762688eee69a67085f97eaec73803d106c94

    SHA256

    f6f78af09c42e60a5c3642fae062097c47d4b88be2e3d505b01226746ddac1fd

    SHA512

    efbe83e6edec905fdf3625f5d9d28a25ea007ade9eed09ca353f92bd0ce7de62ac4ddb1d9c5fda344a8a4bc5737ac466e7954b3a758433a2d148d18238fb525c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    6df5e8f201f6046dd5cac093510e3cb2

    SHA1

    fe1294c97056efcc1df94b096706b646527c1ac8

    SHA256

    b75b1f3fb59f8d78dc27dbbbc4e72972e297f43ae1d21fcf04cb17a53a69307d

    SHA512

    52d0052162212daa77f3789c168bda5d2fb7295d7a27dad1fd37db42bb9b2ed0f23d6a102021bd1199b37c14ffcd93511043f22e9cd53a8700aa2f991ebcaa33

    Download Submit

  • memory/312-2159-0x000000006FB90000-0x000000007013B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/312-2156-0x00000000023F0000-0x0000000002430000-memory.dmp

    Filesize

    256KB

    Download

  • memory/312-2155-0x00000000023F0000-0x0000000002430000-memory.dmp

    Filesize

    256KB

    Download

  • memory/312-2153-0x000000006FB90000-0x000000007013B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/312-2151-0x00000000023F0000-0x0000000002430000-memory.dmp

    Filesize

    256KB

    Download

  • memory/312-2150-0x000000006FB90000-0x000000007013B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2004-2168-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2004-2157-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2360-54-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-66-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-24-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-26-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-28-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-30-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-32-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-34-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-36-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-38-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-40-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-42-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-44-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-46-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-48-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-50-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-52-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-1-0x0000000074AE0000-0x00000000751CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2360-56-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-58-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-60-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-62-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-64-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-22-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-68-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-70-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-72-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-74-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-76-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-78-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-20-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-18-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-0-0x0000000001090000-0x0000000001296000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2360-16-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-15-0x0000000000470000-0x00000000004D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2360-14-0x0000000000470000-0x00000000004DC000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2360-13-0x0000000000F80000-0x0000000000FC0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2360-12-0x0000000074AE0000-0x00000000751CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2360-3-0x0000000005E20000-0x0000000005FCA000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2360-2158-0x0000000074AE0000-0x00000000751CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2360-2-0x0000000000F80000-0x0000000000FC0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2556-6-0x000000006FE40000-0x00000000703EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2556-9-0x0000000002670000-0x00000000026B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2556-8-0x0000000002670000-0x00000000026B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2556-7-0x000000006FE40000-0x00000000703EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2556-10-0x0000000002670000-0x00000000026B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2556-11-0x000000006FE40000-0x00000000703EB000-memory.dmp

    Filesize

    5.7MB

    Download