Analysis
-
max time kernel
24s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04-01-2024 03:23
Static task
static1
Behavioral task
behavioral1
Sample
3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe
Resource
win10v2004-20231215-en
General
-
Target
3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe
-
Size
1.9MB
-
MD5
3fc4f59e7aa2ac0a1bffbc8d2e4d29dc
-
SHA1
b4ec80627dea1ce0cf48180ead2647c1e59a11f4
-
SHA256
e10ea81c37adf8e2d4d37fd1a7220318c7a83233b6abf4a79a12c756d3a3dc44
-
SHA512
c6f6dc178c563aa794f437ae72b2999695a98e97605dee9de4f053bf5b4e4838b1029377c35b6eb4b161f29834b78578c08a27f0455e4dc8bc1bfa24bb91fb97
-
SSDEEP
49152:3zjhkfO9FWUoQeoUwpicHo3vqAoPyoZxKIBBh7rN:3Xyf/YBYcI3vqThOAl
Malware Config
Signatures
-
Detect ZGRat V1 31 IoCs
resource yara_rule behavioral1/memory/2596-101-0x0000000002980000-0x0000000002A02000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-102-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-123-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-133-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-149-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-159-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-157-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-155-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-153-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-151-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-147-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-145-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-143-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-141-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-139-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-137-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-135-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-131-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-129-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-127-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-125-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-121-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-119-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-117-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-115-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-113-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-111-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-109-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-107-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-105-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 behavioral1/memory/2596-103-0x0000000002980000-0x00000000029FC000-memory.dmp family_zgrat_v1 -
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 1 IoCs
resource yara_rule behavioral1/memory/2128-2573-0x0000000000400000-0x00000000005F7000-memory.dmp family_webmonitor -
Executes dropped EXE 1 IoCs
pid Process 2940 Anyname.exe -
Loads dropped DLL 2 IoCs
pid Process 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe -
resource yara_rule behavioral1/memory/2128-2565-0x0000000000400000-0x00000000005F7000-memory.dmp upx behavioral1/memory/2128-2573-0x0000000000400000-0x00000000005F7000-memory.dmp upx -
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 185.141.152.26 Destination IP 1.2.4.8 Destination IP 1.2.4.8 Destination IP 185.141.152.26 Destination IP 185.141.152.26 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2500 set thread context of 2596 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe 17 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2596 regasm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2940 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe 18 PID 2500 wrote to memory of 2940 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe 18 PID 2500 wrote to memory of 2940 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe 18 PID 2500 wrote to memory of 2940 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe 18 PID 2500 wrote to memory of 2596 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe 17 PID 2500 wrote to memory of 2596 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe 17 PID 2500 wrote to memory of 2596 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe 17 PID 2500 wrote to memory of 2596 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe 17 PID 2500 wrote to memory of 2596 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe 17 PID 2500 wrote to memory of 2596 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe 17 PID 2500 wrote to memory of 2596 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe 17 PID 2500 wrote to memory of 2596 2500 3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe"C:\Users\Admin\AppData\Local\Temp\3fc4f59e7aa2ac0a1bffbc8d2e4d29dc.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeC:\Users\Admin\AppData\Local\Temp\MSBuild.exe3⤵PID:2128
-
-
-
C:\ProgramData\Anyname.exe"C:\ProgramData\Anyname.exe"2⤵
- Executes dropped EXE
PID:2940
-