bitrat | 89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe
Size

451KB
MD5

0d34f2b095cbff0be00eb45758929907
SHA1

3fa3b5e296d49c4d8e6dfc5d4b775a48609aca78
SHA256

89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20
SHA512

6965e9d2c2b9a11bb428ba8ac47202b7d0d4aaf826f905fb0afee903b2ae4b85cec446b536721b84237aeeb08f03ff413a67c75c36ba78d85a6727831e7b6340
SSDEEP

6144:xpHC550+1KYQ2JRpK3SRgadBU9RwfqUKDPi5xo/nY:xpis+S2JRpK3SRgKQ/n

Score

10^/10

bitrat zgrat persistence rat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

103.153.182.247:6161

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
install_dir
Install path
install_file
Install name
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/4956-3-0x0000000005C60000-0x0000000006044000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-4-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-5-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-7-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-9-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-11-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-13-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-15-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-17-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-19-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-21-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-23-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-25-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-27-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-29-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-31-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-33-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-35-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-37-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-39-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-41-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-43-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-45-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-47-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-49-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-51-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-53-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-55-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-57-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-59-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-61-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-63-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-65-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4956-67-0x0000000005C60000-0x000000000603F000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables Discord URL observed in first stage droppers 1 IoCs

resource	yara_rule
behavioral2/memory/4956-0-0x0000000000780000-0x00000000007F6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bcesihxe.vbs	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Install name = "C:\\Users\\Admin\\AppData\\Local\\Install path\\Install name"	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
744	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe
744	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe
744	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe
744	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4956 set thread context of 744	4956	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe	108

Suspicious behavior: RenamesItself 4 IoCs

pid	Process
744	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe
744	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe
744	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe
744	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4956	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe
Token: SeDebugPrivilege	4956	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe
Token: SeShutdownPrivilege	744	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
744	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe
744	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 744	4956	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe	108
PID 4956 wrote to memory of 744	4956	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe	108
PID 4956 wrote to memory of 744	4956	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe	108
PID 4956 wrote to memory of 744	4956	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe	108
PID 4956 wrote to memory of 744	4956	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe	108
PID 4956 wrote to memory of 744	4956	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe	108
PID 4956 wrote to memory of 744	4956	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe	108
PID 4956 wrote to memory of 744	4956	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe	108
PID 4956 wrote to memory of 744	4956	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe	108
PID 4956 wrote to memory of 744	4956	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe	108
PID 4956 wrote to memory of 744	4956	89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe	108

C:\Users\Admin\AppData\Local\Temp\89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe
"C:\Users\Admin\AppData\Local\Temp\89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe
  "C:\Users\Admin\AppData\Local\Temp\89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3920 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8
1⤵
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-4898-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/744-4909-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/744-4908-0x00000000750B0000-0x00000000750E9000-memory.dmp

Filesize
228KB

Download
memory/744-4900-0x0000000074D10000-0x0000000074D49000-memory.dmp

Filesize
228KB

Download
memory/4956-43-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-2-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4956-7-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-47-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-11-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-13-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-15-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-17-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-19-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-21-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-23-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-25-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-27-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-29-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-31-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-33-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-35-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-51-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-39-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-41-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-0-0x0000000000780000-0x00000000007F6000-memory.dmp

Filesize
472KB

Download
memory/4956-45-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-9-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-5-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-37-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-53-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-55-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-57-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-59-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-61-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-63-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-65-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-67-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-1376-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4956-1549-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4956-4886-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/4956-4887-0x0000000007310000-0x0000000007530000-memory.dmp

Filesize
2.1MB

Download
memory/4956-4888-0x00000000010B0000-0x00000000010FC000-memory.dmp

Filesize
304KB

Download
memory/4956-4889-0x0000000007AE0000-0x0000000008084000-memory.dmp

Filesize
5.6MB

Download
memory/4956-4890-0x0000000001170000-0x00000000011C4000-memory.dmp

Filesize
336KB

Download
memory/4956-4897-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4956-4-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-3-0x0000000005C60000-0x0000000006044000-memory.dmp

Filesize
3.9MB

Download
memory/4956-49-0x0000000005C60000-0x000000000603F000-memory.dmp

Filesize
3.9MB

Download
memory/4956-1-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads