Overview

overview

10

Static

static

7

BLTools v2...k].exe

windows10-2004-x64

10

CookiesCre....2.exe

windows10-2004-x64

9

Sharing

Copy URL Twitter E-mail

General

  • Target

    BLTools v2.6.3.rar

  • Size

    6.1MB

  • Sample

    231102-bm9rcagf63

  • MD5

    e3807ed817e2a1a4d1ad2ccb9fd6e39e

  • SHA1

    bca011cd007b247f4d107fed1777942e076ad784

  • SHA256

    b2accf729dd4928e065fd7cdf3e696465e295a569d81af9f1b078d37bb4099d4

  • SHA512

    18f0aaeb1ffdb708c0507c0c3571ee6307278dbc9baf63ab75e431969917996de31b922ac1eef13b28eda2a0727a84f1602587c831a9eb583510b26ea16b0404

  • SSDEEP

    98304:KjQPD6aQUiyAOmXzZbwidTzgralcS5tKNC/lpFeE37OdsP8oXepT8xFbn:r07yAVdfLu2tKNilTeErys1j3

Score
10/10
zgratevasionratthemidatrojan

Malware Config

Targets

    • Target

      BLTools v2.6.3_[Crack].exe

    • Size

      6.3MB

    • MD5

      27d6c103163348dab89ff03091daade6

    • SHA1

      bd946b171afb0dd378fc3ea668cdd691d7bd2672

    • SHA256

      24df47d2e8b3732294de5f175ee361f5b2c0859d724791a74cca34b3eb80588b

    • SHA512

      d12184b0f110fcff606e5356eabf0715cc88ccf448fe2d69e1b977c26688fa7d10bacae787e2aaee5d1cd8eca9f9bc1d8284ad05a145b935cccab3afa7ea88a1

    • SSDEEP

      49152:JF1Wtjn25xEpRMreMhlF3t9hOovMz80Xll2J9PPRy49Ap4YwbwtmyHlWQ8+3yHl2:Jc23pnhZMgKll2zPU49Ap4YwbwNyj

    Score
    10/10
    zgratrat

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Drops file in Drivers directory

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

    • Target

      CookiesCreator v1.2.exe

    • Size

      3.3MB

    • MD5

      30c33f45545b68bd1e0d7ec79a090883

    • SHA1

      086e1fadee4a61091250dedb616785c73b50950c

    • SHA256

      4e95226cce6e17fdc39f3a5f9050720d7848bb34ce2df72e63c878235c5be630

    • SHA512

      d76e6d64147d185a07b819cc9fe26daa1c1ae72af6a01b5467ae0b7f07239a8c0edc0c9066fff22c08241025909b492af9cc1f4e3d0eb136a54ee3b7a0d5a6f4

    • SSDEEP

      49152:14AQHxRXGKijAKG+TAdrdBpNIty0YwIs349UnzIYua0+v8li9IiFqVsf/z452nZ5:1lAnrVKGNhdBEIs3IuUw085qKf/z45

    Score
    9/10
    evasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks