Overview

overview

10

Static

static

10

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Resubmissions

02-11-2023 07:46

231102-jl2cksba89 10

02-11-2023 04:52

231102-fhl7pshg66 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    93c9a22d4c887be2f5558aa1fc8a809ef03549cc6a3241ee8fccae1f199ac0e5

  • Size

    4.1MB

  • Sample

    231102-fhl7pshg66

  • MD5

    ca4b4a453bd6ce61fb70cc8ec70aad4b

  • SHA1

    7c13390a6a6f8fd3232b7f4348fc631c32713301

  • SHA256

    93c9a22d4c887be2f5558aa1fc8a809ef03549cc6a3241ee8fccae1f199ac0e5

  • SHA512

    35d83f0a1defce25b71a24fed773905a84d9c479fb749e049ddf532c3a3b637de1ba7cd39fb01fa8a732aced416ec3ad80f494629e515e3f7acbb493bd3d3675

  • SSDEEP

    49152:bBtjBhz6OfiQc66RTsS01TEhZ1ApkmBJEzOwcsOfkCVVIEhSuDG0fdmO:FhzjfhlbTEhLYECwcZs+VhhS6fcO

Score
10/10
loaderbotxmrigzgratevasionloaderminerpersistenceratspywarethemidatrojan

Malware Config

Targets

    • Target

      93c9a22d4c887be2f5558aa1fc8a809ef03549cc6a3241ee8fccae1f199ac0e5

    • Size

      4.1MB

    • MD5

      ca4b4a453bd6ce61fb70cc8ec70aad4b

    • SHA1

      7c13390a6a6f8fd3232b7f4348fc631c32713301

    • SHA256

      93c9a22d4c887be2f5558aa1fc8a809ef03549cc6a3241ee8fccae1f199ac0e5

    • SHA512

      35d83f0a1defce25b71a24fed773905a84d9c479fb749e049ddf532c3a3b637de1ba7cd39fb01fa8a732aced416ec3ad80f494629e515e3f7acbb493bd3d3675

    • SSDEEP

      49152:bBtjBhz6OfiQc66RTsS01TEhZ1ApkmBJEzOwcsOfkCVVIEhSuDG0fdmO:FhzjfhlbTEhLYECwcZs+VhhS6fcO

    Score
    10/10
    loaderbotxmrigzgratevasionloaderminerpersistenceratspywarethemidatrojan

    • Detect ZGRat V1

    • Detects DLL dropped by Raspberry Robin.

      Raspberry Robin.

    • LoaderBot

      LoaderBot is a loader written in .NET downloading and executing miners.

      loaderminerloaderbot

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • LoaderBot executable

    • XMRig Miner payload

      miner

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks