Overview

overview

10

Static

static

3

4f55208346...b2.exe

windows7-x64

10

4f55208346...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 03:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f552083461474d9a151b2ce139638b2.exe

  • Size

    567KB

  • MD5

    4f552083461474d9a151b2ce139638b2

  • SHA1

    873a43d7253c0efc388048904bb72c37d5e0abaf

  • SHA256

    c78c65574f46075aad9b0bdd6a93cae108cf0d07fa6c906d171d27699081ee4c

  • SHA512

    4d454aee96622e9ddb57dbb6a8f965ea7830d57c136823a90e9c9307c75659791b7868142e2923e6be8b3dee3511e2dbad3d3c83422192d39189aabb42df779d

  • SSDEEP

    12288:IXXy/9Gg3/MJBiotluv8/8gSHJ0iIKQR31h9szxj4B:qLg3/rB8/PSUbRlhck

Score
10/10
44caliberzgratratspywarestealer

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Detect ZGRat V1 4 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f552083461474d9a151b2ce139638b2.exe
    "C:\Users\Admin\AppData\Local\Temp\4f552083461474d9a151b2ce139638b2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5108
    • C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe
      "C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe"
      2⤵
      • Executes dropped EXE
      PID:2440
    • C:\Users\Admin\AppData\Local\Temp\Viewer.exe
      "C:\Users\Admin\AppData\Local\Temp\Viewer.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe
    Filesize

    92KB

    MD5

    3d90cdedd6d72eca5e05150475201f17

    SHA1

    f80116e7479f04fc333767fc42bf0b3ca4a8789c

    SHA256

    8bdddc8a0c986be3f73a3fc00b26186e39996664545bacf4e140e9c572fa1b11

    SHA512

    cd092f91c584fc8c63e7231da1938668873804fb7a4ef7182aa6345f1729f364670c31915988c85839e0bebacafc90ef5b4b7e4b5a816cfacdfb925f997639c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe
    Filesize

    587KB

    MD5

    a92c0af180f49d98d7c82e59ed0f580c

    SHA1

    0c0ad8a98a6766ce871bf4f9a0785ae2e1d59085

    SHA256

    e207ed5fcf6e7f2f9d69ccc382285ef32e347b5d97e2b9607067f3ae5bcb71da

    SHA512

    324e8043ce70e5f49c16e2ca5e24cc2c6e7f3486076ef53148964b66d9b4f7d793cc4c3fa5a28ca170ff6bf6b4de5e748bd7e7df177f0f643c473e58eec9087c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Viewer.exe
    Filesize

    445KB

    MD5

    1bf2306bf2ee59cdc722b72f7663bd3c

    SHA1

    63a158406c7a8bc81df438b9dd4f13f8c3e2ce16

    SHA256

    47f7715c489880c71ee98777eb04aac64ede6aa61d846ff775bc2bb18d790c47

    SHA512

    669e69ea3814614f5bfbead1bc0e5e8c4c7c0f64ce0053926bf4d173f4d3a42d756208ca45812fc61920be215d061b4ee4ee3a6b317bbf18f4fcd5a23928f453

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Viewer.exe
    Filesize

    186KB

    MD5

    5eb1645e3219b9a564c8b7f9e0dbbb2f

    SHA1

    e93d9cac0fd035b67fc19addeb047ec11e9e5e80

    SHA256

    0dc94a8b01a1cfe6c76fb0b74f09065f93f725c1e73b23f07ee1d48fe49ce759

    SHA512

    3cd85c1e185fcdba4a6b40afe93767005f2b71c180f4147cd2f29b6f44ca7af0fa1d83c9ee3a7aecafdd4607c405bff8c7c5608d53ef4160c42443ec13be43c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Viewer.exe
    Filesize

    214KB

    MD5

    c7a592262700a6b19b33b75d00126d0d

    SHA1

    e45b3647049395156141058beaaa5c63b4f0de9c

    SHA256

    01a1ef3298d3eb4778194b28945995a080d1e01022a58685b87e0e147928ddac

    SHA512

    caddd9e4170565160ebc816f6a9f22759c508476d0edd4ff88db8cdb82687a8f0d89c2078b5491e58e133ed7aceb8ac45598b68522412cfdc4d719802284fedb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    1KB

    MD5

    3f90c4850d53d9030a7d8652465fa75d

    SHA1

    8298e2c9065d367519528be7b28ad6a5baa5ccf2

    SHA256

    24860713fa97db8eb8240a0d3485409e3304674a16db9e75a164d3ad7fe51e86

    SHA512

    cfb5721139b058fcb55bdba08f734c133a8d3a543714ffead267688f15f9d6bb705e613e9567552279e009acf58d4118a77356739a506a5f3985ecdbca6bc19f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    880B

    MD5

    e52a336a9b56402203b8dfac2ef2f025

    SHA1

    e6e4c3ac82bc4a062f88b61afaf0bc9102dc68d6

    SHA256

    eb91b5f7600de0602a509433282deb4e25764e5ff1c4a291c2ea900fd3982f83

    SHA512

    7ad196fbe6db3240f973867542f0ac5e51a273e16a67e2361b9daaea3a001a641503c72b1322218f5d2ad668e7c608982dacf70a3dd289e2b43eb295b64e04cd

    Download Submit

  • memory/5064-60-0x00000000014A0000-0x00000000014B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5064-155-0x00007FFAF99C0000-0x00007FFAFA481000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5064-29-0x00000000014A0000-0x00000000014B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5064-28-0x00007FFAF99C0000-0x00007FFAFA481000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5064-25-0x0000000000BE0000-0x0000000000C98000-memory.dmp

    Filesize

    736KB

    Download

  • memory/5064-153-0x00000000014A0000-0x00000000014B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5064-59-0x000000001C520000-0x000000001CA48000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/5108-0-0x0000000000E90000-0x0000000000F22000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5108-2-0x00000000018F0000-0x00000000018F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5108-26-0x00007FFAF99C0000-0x00007FFAFA481000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5108-3-0x000000001BC10000-0x000000001BC20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5108-1-0x00007FFAF99C0000-0x00007FFAFA481000-memory.dmp

    Filesize

    10.8MB

    Download