44caliber | c78c65574f46075aad9b0bdd6a93cae108cf0d07fa6c906d171d27699081ee4c

General

Target

4f552083461474d9a151b2ce139638b2.exe
Size

567KB
MD5

4f552083461474d9a151b2ce139638b2
SHA1

873a43d7253c0efc388048904bb72c37d5e0abaf
SHA256

c78c65574f46075aad9b0bdd6a93cae108cf0d07fa6c906d171d27699081ee4c
SHA512

4d454aee96622e9ddb57dbb6a8f965ea7830d57c136823a90e9c9307c75659791b7868142e2923e6be8b3dee3511e2dbad3d3c83422192d39189aabb42df779d
SSDEEP

12288:IXXy/9Gg3/MJBiotluv8/8gSHJ0iIKQR31h9szxj4B:qLg3/rB8/PSUbRlhck

Score

10^/10

44caliber zgrat rat spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/2640-16-0x0000000000DC0000-0x0000000000E78000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0008000000012287-15.dat	family_zgrat_v1
behavioral1/files/0x0008000000012287-14.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
2812	CookieViewer.exe
2640	Viewer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	freegeoip.app
3	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Viewer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Viewer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2640	Viewer.exe
2640	Viewer.exe
2640	Viewer.exe
2640	Viewer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	4f552083461474d9a151b2ce139638b2.exe
Token: SeDebugPrivilege	2640	Viewer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2812	2884	4f552083461474d9a151b2ce139638b2.exe	29
PID 2884 wrote to memory of 2812	2884	4f552083461474d9a151b2ce139638b2.exe	29
PID 2884 wrote to memory of 2812	2884	4f552083461474d9a151b2ce139638b2.exe	29
PID 2884 wrote to memory of 2812	2884	4f552083461474d9a151b2ce139638b2.exe	29
PID 2884 wrote to memory of 2640	2884	4f552083461474d9a151b2ce139638b2.exe	30
PID 2884 wrote to memory of 2640	2884	4f552083461474d9a151b2ce139638b2.exe	30
PID 2884 wrote to memory of 2640	2884	4f552083461474d9a151b2ce139638b2.exe	30

C:\Users\Admin\AppData\Local\Temp\4f552083461474d9a151b2ce139638b2.exe
"C:\Users\Admin\AppData\Local\Temp\4f552083461474d9a151b2ce139638b2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe
  "C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\Viewer.exe
  "C:\Users\Admin\AppData\Local\Temp\Viewer.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
227B

MD5
cb2098bb67e6d976f7a7e4a584859297

SHA1
9ff06150bd45b321c3a2faf03ae6b6102273d964

SHA256
dbde229cce2a517fdd33e37daae1ca80c754ce559b486dfd4d863e6ed437faf8

SHA512
8a60d7c9c5e0a956d628b30dd05d6383b1109aa405afcb957f19202650f80bcc58be514f6d4b89a7487743a7ef190463225f1a1e5951f731807f79d4edc2c8a8

Download Submit
C:\ProgramData\44\Process.txt

Filesize
387B

MD5
d7549095151b3f61853fea5d734be936

SHA1
b062166f3f06358c9215908f56dec83438bd93e2

SHA256
eb35e99ee49c5396f1c37929b8e488314cf77f7cf803c79096371a2705d567be

SHA512
42aa7fd20df9b2213cad5678bd31fda11ce4bf0649b3b9390aac9396d9b88621ca029ab975610d1cf5f0a6c8fd1928077fbe9d07451b9cb695d8f3c2051f1d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe

Filesize
247KB

MD5
403de2c7272c577698ebb2b0b6908f17

SHA1
7e17622719b3429e4822c06ab48e5c52f9ce6d08

SHA256
4c8ea6dd23dd5d400bf7b04ca5771eb1f0ff081b4a0b3946958b2d918be4af81

SHA512
8363dfd17a5837c373e2a3a21c79a102acb91688871278743d59b866a3d75e35d2545e574e3e93bf97256516250c11ec5ada6ae6a1f950b96390b79dde566d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe

Filesize
243KB

MD5
8f672427e2745bd7b0d977115168f739

SHA1
6c7e02241a54c2824dc2a838e7710d94f3dd7ce2

SHA256
6c1e6a3dadfc756a6fd85adcb532bffd6c3a176479ceba5f5ed7d0e951b087b0

SHA512
d45c01bd0fc79c4330f5405a41ad7755704ada76ab8dd64d1bb8c66f20b45a37b76e66fa58943e35db7b944b5d5582847228ce6d37636cfba973f804cb013a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Viewer.exe

Filesize
201KB

MD5
9dac088a7c161ced2788cce3943b9d76

SHA1
3ca4689761f00d53c14ae2c49cbecfaf402f4e10

SHA256
2db643f446404ea9db6c2cb376b82917e57cd073b656f15df7763ad70ab3e103

SHA512
e706bcef2a12a928267efca76a842be57f15ec479298f819d07add318bf8795afd429eb9266781000e4199c66066c906637578dd8284a801d7ea0cd6b5171ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Viewer.exe

Filesize
355KB

MD5
592f3e00c1ecb9ebf4846cf833072623

SHA1
03ee73cffc2297fdc6e18f83538531983d33a4e3

SHA256
7b30d8fbfa70c0bbd3cef3a0e712aff58eac67c6d3570d719c6876b6df52fce4

SHA512
a9856050b8f81df8a63851dd5ff0bdceba8b27944f1649b3e35b85a6c2d6599987f0ca53d6d6e86f6a4dab0d6f50e1c5364a1ada46f702be59daf3db07770702

Download Submit
memory/2640-18-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-16-0x0000000000DC0000-0x0000000000E78000-memory.dmp

Filesize
736KB

Download
memory/2640-19-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/2640-38-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/2640-68-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/2640-69-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-0-0x0000000000AC0000-0x0000000000B52000-memory.dmp

Filesize
584KB

Download
memory/2884-17-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-2-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/2884-3-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2884-1-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing