Overview

overview

10

Static

static

3

c58af9384d...19.exe

windows7-x64

10

c58af9384d...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28-12-2023 05:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c58af9384d71e33bae1d8a032d9e7b19.exe

  • Size

    4.0MB

  • MD5

    c58af9384d71e33bae1d8a032d9e7b19

  • SHA1

    15bd308104a7b2d05ba9fd03b3a4c5410afabc56

  • SHA256

    77189b22dfb8238a4837f95e3283150bca8105d618cc421cde8170644bcf878b

  • SHA512

    ac80eb00dcf2aec8a56e071281030b9c3ec57460b2a2c59b8db43ce51a60465a419ed1e5f887d7e2d8b41c0aaca226244bb52e7c72cccf44f477fcdad03aa3e8

  • SSDEEP

    49152:PSzzgkLJWvg/RdFy7/QhWwALywBDyVt4kWzzwskrk4NZXuMk6o9ufAXV4AK:

Score
10/10
echelonzgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 35 IoCs
  • Detects Echelon Stealer payload 2 IoCs
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c58af9384d71e33bae1d8a032d9e7b19.exe
    "C:\Users\Admin\AppData\Local\Temp\c58af9384d71e33bae1d8a032d9e7b19.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Roaming\WinNetCache\WinNetCache.exe
      "C:\Users\Admin\AppData\Roaming\WinNetCache\WinNetCache.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\ProgramData\Decoder.exe
        "C:\ProgramData\Decoder.exe"
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2352
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Windows\system32\timeout.exe
          timeout 4
          4⤵
          • Delays execution with timeout.exe
          PID:3040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Decoder.exe
    Filesize

    490KB

    MD5

    c29c0d495ed13e703f433d53bdffdab8

    SHA1

    74ed36e6b6027b61abcfe2956670ffd9de7fd71a

    SHA256

    20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b

    SHA512

    fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426

    Download Submit

  • C:\Users\Admin\AppData\Local\ScallyMilano\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\Users\Admin\AppData\Local\ScallyMilano\ProcessList.txt
    Filesize

    216B

    MD5

    7e37cf334542a24e809b4b9aa46caf1e

    SHA1

    ec0fe7832a1dcc98cc743a9d7922646c0f6d5592

    SHA256

    bc7880c8f1f561adc5d997776c6f594ecf6003e66d0645b20c28bdde36655de7

    SHA512

    c4d03caf05906f4a90ec88d9a602765348b947e6d9db79c98007525f4218fc9fa2ccaa6b2dd9a75736a61f1a4b54e05f260661d6a031061e43e102ae4f57a276

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\.cmd
    Filesize

    28B

    MD5

    217407484aac2673214337def8886072

    SHA1

    0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

    SHA256

    467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

    SHA512

    8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WinNetCache\WinNetCache.exe
    Filesize

    1.5MB

    MD5

    ad2f6dd54f8a52708148b9fe50f7ede9

    SHA1

    20b3284ad569811a6f28a39a92b6da61d2713079

    SHA256

    59c3fc7329bf3f09b892d86419da8d1872dc2262683ec45b348a1c27993133b0

    SHA512

    7f2c297b294a20edf52e63eaf7311883295b6bd5c6cd14e839ba8174dabcb353df4536976ba680f647311cfc86f6952f82a0508a6b6dbfe03fbdac7a7e3b57af

    Download Submit

  • memory/2156-7-0x0000000000B90000-0x0000000000D14000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2156-8-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2156-10-0x0000000000B10000-0x0000000000B90000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2156-11-0x0000000002260000-0x00000000022D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2156-23-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2352-57-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-67-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-24-0x00000000048E0000-0x000000000497C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2352-27-0x0000000002220000-0x0000000002260000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2352-28-0x0000000002220000-0x0000000002260000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2352-29-0x0000000004840000-0x00000000048DA000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2352-30-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-31-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-33-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-35-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-37-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-39-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-41-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-43-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-45-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-47-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-49-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-51-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-53-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-55-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-26-0x0000000002220000-0x0000000002260000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2352-59-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-61-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-63-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-65-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-25-0x00000000747F0000-0x0000000074EDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2352-69-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-73-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-75-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-71-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-77-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-79-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-81-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-83-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-85-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-87-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-89-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-91-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-93-0x0000000004840000-0x00000000048D4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2352-478-0x0000000002220000-0x0000000002260000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2352-550-0x00000000747F0000-0x0000000074EDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2352-548-0x0000000002220000-0x0000000002260000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2352-532-0x0000000004F20000-0x0000000004F96000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2352-545-0x00000000747F0000-0x0000000074EDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2352-546-0x0000000002220000-0x0000000002260000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2352-547-0x0000000002220000-0x0000000002260000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3036-0-0x0000000001280000-0x0000000001680000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3036-1-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3036-2-0x000000001B4E0000-0x000000001B560000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3036-9-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

    Filesize

    9.9MB

    Download