Overview

overview

10

Static

static

3

063f5ca54c...3f.exe

windows7-x64

10

063f5ca54c...3f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    64s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 04:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    063f5ca54ca7abd4d74a16b9bfa7083f.exe

  • Size

    468KB

  • MD5

    063f5ca54ca7abd4d74a16b9bfa7083f

  • SHA1

    75043ba263fdcbc5581eae2b8de080776a8f0058

  • SHA256

    4f54be824a67f26e4efd110706d90d95989e2aabc10584a1c5dff911dd653d03

  • SHA512

    ce667cf8ef3a90a935382d292d7810e74da343a70497d21d7041d8a90308f8ff2e611ea37c68353b0749f2b36e4feb6a7e3097ce48e3e689d00360fe51c5197a

  • SSDEEP

    12288:O3Na9imfQu7Lv2mUHQ7fJa4ofNNUckb7/:O3NUimfhSc7fPLcc/

Score
10/10
snakekeyloggerzgratkeyloggerpersistenceratstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Detect ZGRat V1 34 IoCs
  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\063f5ca54ca7abd4d74a16b9bfa7083f.exe
    "C:\Users\Admin\AppData\Local\Temp\063f5ca54ca7abd4d74a16b9bfa7083f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Users\Admin\AppData\Local\Temp\063f5ca54ca7abd4d74a16b9bfa7083f.exe
      C:\Users\Admin\AppData\Local\Temp\063f5ca54ca7abd4d74a16b9bfa7083f.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4300
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1792
        3⤵
        • Program crash
        PID:3364
    • C:\Users\Admin\AppData\Local\Temp\063f5ca54ca7abd4d74a16b9bfa7083f.exe
      C:\Users\Admin\AppData\Local\Temp\063f5ca54ca7abd4d74a16b9bfa7083f.exe
      2⤵
        PID:2244
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4300 -ip 4300
      1⤵
        PID:2304

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\063f5ca54ca7abd4d74a16b9bfa7083f.exe.log
        Filesize

        1KB

        MD5

        7ebe314bf617dc3e48b995a6c352740c

        SHA1

        538f643b7b30f9231a3035c448607f767527a870

        SHA256

        48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

        SHA512

        0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

        Download Submit

      • memory/3672-0-0x00000000007C0000-0x000000000083A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/3672-1-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3672-3-0x0000000005240000-0x00000000052D2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3672-2-0x0000000005910000-0x0000000005EB4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3672-5-0x00000000052E0000-0x00000000052EA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3672-4-0x0000000005480000-0x0000000005490000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3672-6-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3672-7-0x0000000006430000-0x0000000006484000-memory.dmp

        Filesize

        336KB

        Download

      • memory/3672-8-0x00000000068B0000-0x000000000692E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/3672-28-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-40-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-38-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-60-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-72-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-70-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-68-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-66-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-64-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-62-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-58-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-56-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-54-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-52-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-50-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-48-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-46-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-44-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-42-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-435-0x0000000005480000-0x0000000005490000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3672-36-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-34-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-32-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-30-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-26-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-24-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-22-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-20-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-18-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-16-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-14-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-12-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-10-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-9-0x00000000068B0000-0x0000000006929000-memory.dmp

        Filesize

        484KB

        Download

      • memory/3672-2409-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4300-2408-0x0000000000400000-0x0000000000422000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4300-2412-0x0000000003200000-0x0000000003210000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4300-2411-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4300-2410-0x0000000005690000-0x000000000572C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4300-2413-0x00000000748C0000-0x0000000075070000-memory.dmp

        Filesize

        7.7MB

        Download