Malware Analysis Report

2024-09-22 21:48

Sample ID 240108-25rxcsegcl
Target 4cb2b6e2c86e81a6b2ddd2aca707e66a
SHA256 157e30e05a61154cbc5bb5e36dc43b33e500bd552f8a0624d3a02d9f1249665a
Tags
azorult zgrat infostealer rat trojan oski
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

157e30e05a61154cbc5bb5e36dc43b33e500bd552f8a0624d3a02d9f1249665a

Threat Level: Known bad

The file 4cb2b6e2c86e81a6b2ddd2aca707e66a was found to be: Known bad.

Malicious Activity Summary

azorult zgrat infostealer rat trojan oski

Detect ZGRat V1

Azorult

ZGRat

Oski

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-08 23:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 23:10

Reported

2024-01-08 23:12

Platform

win7-20231215-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe"

Signatures

Azorult

trojan infostealer azorult

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe C:\Windows\SysWOW64\WScript.exe
PID 1016 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe C:\Windows\SysWOW64\WScript.exe
PID 1016 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe C:\Windows\SysWOW64\WScript.exe
PID 1016 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe C:\Windows\SysWOW64\WScript.exe
PID 1016 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe
PID 1016 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe
PID 1016 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe
PID 1016 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe
PID 1016 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe
PID 752 wrote to memory of 2260 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 752 wrote to memory of 2260 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 752 wrote to memory of 2260 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 752 wrote to memory of 2260 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 1016 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe
PID 1016 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe
PID 1016 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe
PID 1016 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe
PID 1016 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe
PID 2260 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2260 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2260 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2260 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2260 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2260 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2260 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2260 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2260 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2260 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2260 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2260 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2260 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2260 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
PID 2040 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Windows\SysWOW64\WerFault.exe
PID 2040 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Windows\SysWOW64\WerFault.exe
PID 2040 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Windows\SysWOW64\WerFault.exe
PID 2040 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe

"C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Eyyozukgtsxfcpfq.vbs"

C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe

C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

"C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe"

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 112

Network

Country Destination Domain Proto
US 8.8.8.8:53 gordonas.ac.ug udp
US 8.8.8.8:53 gordonas.ac.ug udp

Files

memory/1016-1-0x00000000009A0000-0x0000000000A54000-memory.dmp

memory/1016-0-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/1016-2-0x0000000004E50000-0x0000000004E90000-memory.dmp

memory/1016-3-0x0000000005020000-0x00000000050CA000-memory.dmp

memory/1016-4-0x00000000059C0000-0x0000000005A84000-memory.dmp

memory/1016-5-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/1016-6-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-7-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-9-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-17-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-21-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-19-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-15-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-13-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-27-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-39-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-43-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-47-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-45-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-41-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-51-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-49-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-37-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-35-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-33-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-59-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-65-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-67-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-69-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-63-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-61-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-57-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-55-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-53-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-31-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-29-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-25-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-23-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-11-0x00000000059C0000-0x0000000005A7F000-memory.dmp

memory/1016-915-0x0000000004E50000-0x0000000004E90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Eyyozukgtsxfcpfq.vbs

MD5 078aaa3bf115f219f01322a31f475c54
SHA1 e95ad53a3ad196dfb5384824d213f64056fb8155
SHA256 db761125f2f3e644b56284126bdb2ebeec230ddaea1540e41e61188e38a845b4
SHA512 98b4016beda2682652dfdef3f0b25432c1444b52064949e9ecd20d7533b76f17ebaf514b91e5bd967d20ed8025b0d8a8f6e387331806418cfef00ff3e1fd1734

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 00571ec548d535ee3df0938f0b980e6a
SHA1 01d85473ed85cddbfc5ac791a29893e2ed1bf4a8
SHA256 02123a2b2229d208661436c16c825138fa3e7b8f8cdf8b0b6f8468d5cd8136ce
SHA512 66d9c4f60c7645ef02d19f5c1d8a8c8ae51373cb9fbb41f2a23c0a3632819b9891b8fc9d0a585dc588371e061e255eb966fbe97db4a757c27608ad45dec21267

memory/2260-1973-0x00000000013C0000-0x0000000001428000-memory.dmp

memory/2260-1976-0x0000000004F20000-0x0000000004F60000-memory.dmp

memory/2260-1972-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/1016-1982-0x0000000074B80000-0x000000007526E000-memory.dmp

\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 90f99acf9d18639e0c0b8cea8b2180df
SHA1 1833d771ca7fc2736b353e038f804581231237ee
SHA256 dd7eafac0626fa8b6c060b01cda547850f53dcda69b0ed296d994673f4c559cf
SHA512 cbb3b770e7b6c10799dc400490fe048003dd650c97d3b4afd4488fe90363ee0a2b030b227a53f8a380a73da671544fa34a49f46a2bccc4834247c69690294a25

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 4882927541a73728037694c88da7b67f
SHA1 b246f772c4d4689ed22dd9a371ed45aaaadf3924
SHA256 47c30b473e2fe7d5dc38d3360edbbb1d8778a4fb967afa710a2e9375a8379984
SHA512 c70a2275c26d8dbfb08425e076979a3a1b1d69cafefd281f0f8ea94711276677f258746b8920d9442a3197ad12aa84897b40f4dcc9ab697d01d13aaccb10ed42

memory/2260-1983-0x00000000009B0000-0x0000000000A0E000-memory.dmp

memory/2260-1984-0x00000000051A0000-0x0000000005218000-memory.dmp

memory/2260-2297-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2260-3143-0x0000000004F20000-0x0000000004F60000-memory.dmp

\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 57eedf3b0ec70a2aa0369e8805f02755
SHA1 8ce2fff5186e29c4e6947052a9c5c171b2312ff2
SHA256 7f237c26546babeae532179becd91e57651d0de163236d91897283e785558896
SHA512 e3267ddb67adb0e75408d06b3aa1bf8f2254f84f6b2be5f5154dd74fac15983ad8c4dd649e765202c6077cacfb3f4d9155fb49f7bb18ff1165dbefdab00af902

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 369271a7f786629008cb76b2a49756cf
SHA1 fee0352a8b1f42a0d8a0e364a456f8870d7ec8b8
SHA256 db9dbf0c83bf8116414c7f69a343c47dfbd2824b7828b145a6f83e76d22a8bc0
SHA512 6467eac4a79dcb1a0bd64bb75b2c25d9a398b3c7a7914a81bb023513b084c7b1ae95e673a7c6f8cad7e9da4e1e9179cd376ac47ecdfd9f1d733c580eb1695163

\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 a31e4fedddce11c70b459b51f2d5e953
SHA1 ddb1f4709d52aebc74d53466edbb92357d01fb14
SHA256 3bb8e7883c86960bd044e033fb02b4fbe2d13d7c7d6040da551f6bfc309ac811
SHA512 ca021b4d2f6c79369a7d375705cca5c79842c225109e07c851e4040a914c42bfb177f95bb7cfcebf1b0de5938b6387032b43a45fc16ca1a48dda0516ab347ea3

memory/2260-4378-0x0000000074B80000-0x000000007526E000-memory.dmp

\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 e9cede13721c21bef6849f2c29c22f81
SHA1 822e28525f0e349495c8f76eb25d0f3cb32a1fd7
SHA256 2679d67b814c9e0abf0c56b09869d2714924da01184fcba07336b59e2b2f1774
SHA512 9020e343a60b68b11b8f68f5a949cfb5c8e687e0b9185e03cacb0a3bd9cb3f936badf971b4f58cc31bb54ee94414d64efc400fc4723f388d1e914697a6acc2e4

\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 71676f41668e52ad9050201e140a0032
SHA1 4e410024202d21cbf100f0cd5a3c1d292d8b1cbd
SHA256 cb4c251c3dee156a8d1801e81589032d1331bee03d77a11d6ed0f0817efc6c4b
SHA512 f52030036be3497da5e34db5f35b0764ffceb6759c26cbf8cf40867e229503d3c7435f754b053ea015cd2ba869ca2f40801244b4339a36f16956b6ed5aef2983

\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 881919c66d5ed5654371e3235427976f
SHA1 d678f8ad321c577ca95ea515b14cb9f30ca7039e
SHA256 ba0482400e48881fe8f3f94a15a9a19fc1480852ed5c09a93fa0cc3ee7239695
SHA512 c0a97534326075fe49d2bf83ce48b41352527ce0d0d2586bb6a9ae584a796b13435f8251870f78c6352a3a356516f8942f4d74398e7456cc63261254b4db6a0f

\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 90a5c27fc2b0b44a9534345315386ffa
SHA1 ee79c97d1240bd43d5fe73831f6d0c25351f2006
SHA256 c703d58c2e34689c427b24cee3fd3513a99c32f73976ee7580000d6e174f3039
SHA512 9a8f5e7594d7d2340b3e2c7a3d0acc049a6665c58e65bd17ea60646540b0ae4f9cca0b59e5c81c0eb4080ccd8499d0bc54cafb1ae35b244594ce19c74c912675

\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 aca6bc63faf4f7b1304aa1140dd00263
SHA1 78f0e9fdb1626cd59a34c34ff4d7fc358a97cf2f
SHA256 cdefc9149ff8463bb1233dc9455842c71a434f931590b5c27839e464656938a5
SHA512 5c84758d8d5e8a6d4b9db4df111f387f8954af014f6e7dfacf560c4e51d4fc5c85db3906d5d0e38c1c65741f4a529859169869c00362c472e7ccbfc06b0aa832

\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 5b080af6e255571a3a700df3e2f0f752
SHA1 3425f0a0343d516b76d30c5b0f2d1a7c87821e33
SHA256 4f6a077a78e3e6472a473ee9ebdd62ceb5de4aa43985c902c330e29d9244f2e7
SHA512 1243a11b737428d4d1ad06688602dd39327a954e2dc14eecd264c03f6e7b3a2cec058dcd2b1029745da0ab79d8a85d345fa8da475c83ddb3b879322e6d0d7bc8

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 27ca0a2e1b81e4dae76c31a999694dd2
SHA1 1cabdc6a8439a56c9984109b8d04bcee22ca32f6
SHA256 046fc8eb0721c2562de243b31d1efcbec3e7f86d8b537db8568a9b4829681b4b
SHA512 5099b7bfc05392d9141524941ca973d5cf26cc62af016a4ac7a257a41e5de194bf10e6a7dae482eb57cd60112e0a7afd20892b138c8b60ebe9c440d394f5f42f

\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

MD5 9ba42b61637103359fab0ce717c90b30
SHA1 67a26d5ba46b171808775fb5fa09bea8d382d04e
SHA256 c6b6a5c25cc13922b1062c43faa037111f8c09fe9fbe297aedf3ec7e6c511959
SHA512 beb70c9f8b5adc3db65c98453a801cf331ea8820abdf13434ca090fbb9d1d8f539f58b1557240babd4b2d1ad74aa57f54cf09ad42cd8aba43f270ae94ede6095

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-08 23:10

Reported

2024-01-08 23:12

Platform

win10v2004-20231222-en

Max time kernel

25s

Max time network

73s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe"

Signatures

Azorult

trojan infostealer azorult

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Oski

infostealer oski

ZGRat

rat zgrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe

"C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe"

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

"C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe"

C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe

C:\Users\Admin\AppData\Local\Temp\4cb2b6e2c86e81a6b2ddd2aca707e66a.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Eyyozukgtsxfcpfq.vbs"

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5064 -ip 5064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1300

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 2.18.109.167:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 udp
N/A 51.104.136.2:443 tcp
N/A 51.104.136.2:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.165.164.15:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 2.17.5.100:80 tcp
N/A 2.17.5.100:80 tcp
US 8.8.8.8:53 udp
N/A 20.54.110.119:443 tcp
N/A 52.165.164.15:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 gordonhk.ac.ug udp

Files

memory/1488-3-0x0000000005770000-0x0000000005802000-memory.dmp

memory/1488-5-0x0000000005920000-0x000000000592A000-memory.dmp

memory/1488-4-0x0000000005940000-0x0000000005950000-memory.dmp

memory/1488-2-0x0000000005C80000-0x0000000006224000-memory.dmp

memory/1488-1-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/1488-0-0x0000000000CD0000-0x0000000000D84000-memory.dmp

memory/1488-6-0x0000000007270000-0x000000000731A000-memory.dmp

memory/1488-7-0x00000000073A0000-0x0000000007416000-memory.dmp

memory/1488-10-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-26-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-42-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-56-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-72-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-70-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-68-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-66-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-64-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-62-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-60-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-58-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-54-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-243-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/1488-52-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-50-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-48-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-46-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-44-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-40-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-38-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-36-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-34-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-32-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-30-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-28-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-24-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-22-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-20-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-18-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-16-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-14-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-12-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-9-0x00000000077E0000-0x000000000789F000-memory.dmp

memory/1488-8-0x00000000077E0000-0x00000000078A4000-memory.dmp

memory/1488-1321-0x0000000005940000-0x0000000005950000-memory.dmp

memory/1488-1963-0x00000000079C0000-0x00000000079DE000-memory.dmp

memory/1488-1973-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/4624-1974-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4540-1977-0x00000000009C0000-0x0000000000A28000-memory.dmp

memory/4624-1980-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4540-1979-0x0000000005590000-0x00000000055A0000-memory.dmp

memory/4540-1978-0x0000000073740000-0x0000000073EF0000-memory.dmp

memory/4540-1981-0x0000000006ED0000-0x0000000006F2E000-memory.dmp

memory/4540-1982-0x0000000007290000-0x0000000007308000-memory.dmp

memory/4540-2431-0x0000000073740000-0x0000000073EF0000-memory.dmp

memory/4540-3968-0x0000000005590000-0x00000000055A0000-memory.dmp

memory/5064-4365-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4540-4364-0x0000000073740000-0x0000000073EF0000-memory.dmp

memory/5064-4368-0x0000000000400000-0x0000000000434000-memory.dmp