44caliber | c78c65574f46075aad9b0bdd6a93cae108cf0d07fa6c906d171d27699081ee4c

General

Target

4f552083461474d9a151b2ce139638b2.exe
Size

567KB
MD5

4f552083461474d9a151b2ce139638b2
SHA1

873a43d7253c0efc388048904bb72c37d5e0abaf
SHA256

c78c65574f46075aad9b0bdd6a93cae108cf0d07fa6c906d171d27699081ee4c
SHA512

4d454aee96622e9ddb57dbb6a8f965ea7830d57c136823a90e9c9307c75659791b7868142e2923e6be8b3dee3511e2dbad3d3c83422192d39189aabb42df779d
SSDEEP

12288:IXXy/9Gg3/MJBiotluv8/8gSHJ0iIKQR31h9szxj4B:qLg3/rB8/PSUbRlhck

Score

10^/10

44caliber zgrat rat spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/files/0x001000000000b1f5-14.dat	family_zgrat_v1
behavioral1/files/0x001000000000b1f5-15.dat	family_zgrat_v1
behavioral1/memory/1604-16-0x00000000001E0000-0x0000000000298000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
1548	CookieViewer.exe
1604	Viewer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	freegeoip.app
2	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Viewer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Viewer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1604	Viewer.exe
1604	Viewer.exe
1604	Viewer.exe
1604	Viewer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	4f552083461474d9a151b2ce139638b2.exe
Token: SeDebugPrivilege	1604	Viewer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 1548	2872	4f552083461474d9a151b2ce139638b2.exe	27
PID 2872 wrote to memory of 1548	2872	4f552083461474d9a151b2ce139638b2.exe	27
PID 2872 wrote to memory of 1548	2872	4f552083461474d9a151b2ce139638b2.exe	27
PID 2872 wrote to memory of 1548	2872	4f552083461474d9a151b2ce139638b2.exe	27
PID 2872 wrote to memory of 1604	2872	4f552083461474d9a151b2ce139638b2.exe	28
PID 2872 wrote to memory of 1604	2872	4f552083461474d9a151b2ce139638b2.exe	28
PID 2872 wrote to memory of 1604	2872	4f552083461474d9a151b2ce139638b2.exe	28

C:\Users\Admin\AppData\Local\Temp\4f552083461474d9a151b2ce139638b2.exe
"C:\Users\Admin\AppData\Local\Temp\4f552083461474d9a151b2ce139638b2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe
  "C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Users\Admin\AppData\Local\Temp\Viewer.exe
  "C:\Users\Admin\AppData\Local\Temp\Viewer.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
346B

MD5
5096b886b530807c3a114d38035e3951

SHA1
3788d984f4bf32d894465983d39681267b0a2d72

SHA256
f034b7bd1214cf2c6158702bf22cdd4e1ad440995b00fc09e6b5323fd410c944

SHA512
b1cfa4038f909500771203e8c279fdd5f5a81bec8b6618de9e857f66f452ab072899de33185a2db2093157994f87fbfbc84da37a59dd1f9b5f0ccab3fe557bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe

Filesize
587KB

MD5
a92c0af180f49d98d7c82e59ed0f580c

SHA1
0c0ad8a98a6766ce871bf4f9a0785ae2e1d59085

SHA256
e207ed5fcf6e7f2f9d69ccc382285ef32e347b5d97e2b9607067f3ae5bcb71da

SHA512
324e8043ce70e5f49c16e2ca5e24cc2c6e7f3486076ef53148964b66d9b4f7d793cc4c3fa5a28ca170ff6bf6b4de5e748bd7e7df177f0f643c473e58eec9087c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe

Filesize
136KB

MD5
1d4402e95dc5fef99a31da419df166c5

SHA1
312d511720a6a572e345f0e538ef5a88a48613e1

SHA256
442672cd127ef15ef2b041df316be6ea97ce6a102e9ea61d4e0f6b0de7d8a2a9

SHA512
bff74be1dcccf50a2d3ee916a54462f1676c7f0a41e73ecdfb8a997f77ba8b0feb329570d37fc6f1b806f4813422393b8da61753cde87505bcfea0a36ae92e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Viewer.exe

Filesize
96KB

MD5
238c65d6b1f9234d7c250809f8e95a81

SHA1
34b5679ff888b0e78033471839df87df1ee5f980

SHA256
977faf9890fcd46cfacf299827c4da496a74efdf6d65ca8ca79ff69b49a0adb8

SHA512
4583790a1bc84f78646465ff676bfcab85071a54e47b85728450558bd7782062e328485401a26e39cf41569bbb1d873a05c600b6bcf53eae8fd4f678d94f3080

Download Submit
C:\Users\Admin\AppData\Local\Temp\Viewer.exe

Filesize
220KB

MD5
eff79d978b83a641ac6be097cdacc1e0

SHA1
0a99dbaeaf3bcef8eddc485215caca100bfb8f17

SHA256
e32b6578ad59c5d1e59166aa46672f91bf674303e103eed7335592f00df6a250

SHA512
7377ad8e4958ce7867205af26e2a0616f01ee57e38865ec600f1ed6a60932022992a157fa3503c1a4b4f6e88402de97303c66079ac50ff095c92dc79604e9d56

Download Submit
memory/1604-17-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/1604-16-0x00000000001E0000-0x0000000000298000-memory.dmp

Filesize
736KB

Download
memory/1604-18-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/1604-36-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/1604-66-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/1604-67-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2872-0-0x0000000001030000-0x00000000010C2000-memory.dmp

Filesize
584KB

Download
memory/2872-2-0x0000000000F30000-0x0000000000FB0000-memory.dmp

Filesize
512KB

Download
memory/2872-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2872-1-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/2872-64-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing