Overview

overview

10

Static

static

3

4f55208346...b2.exe

windows7-x64

10

4f55208346...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2024 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f552083461474d9a151b2ce139638b2.exe

  • Size

    567KB

  • MD5

    4f552083461474d9a151b2ce139638b2

  • SHA1

    873a43d7253c0efc388048904bb72c37d5e0abaf

  • SHA256

    c78c65574f46075aad9b0bdd6a93cae108cf0d07fa6c906d171d27699081ee4c

  • SHA512

    4d454aee96622e9ddb57dbb6a8f965ea7830d57c136823a90e9c9307c75659791b7868142e2923e6be8b3dee3511e2dbad3d3c83422192d39189aabb42df779d

  • SSDEEP

    12288:IXXy/9Gg3/MJBiotluv8/8gSHJ0iIKQR31h9szxj4B:qLg3/rB8/PSUbRlhck

Score
10/10
44caliberzgratratspywarestealer

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f552083461474d9a151b2ce139638b2.exe
    "C:\Users\Admin\AppData\Local\Temp\4f552083461474d9a151b2ce139638b2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe
      "C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe"
      2⤵
      • Executes dropped EXE
      PID:5008
    • C:\Users\Admin\AppData\Local\Temp\Viewer.exe
      "C:\Users\Admin\AppData\Local\Temp\Viewer.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CookieViewer.exe
    Filesize

    587KB

    MD5

    a92c0af180f49d98d7c82e59ed0f580c

    SHA1

    0c0ad8a98a6766ce871bf4f9a0785ae2e1d59085

    SHA256

    e207ed5fcf6e7f2f9d69ccc382285ef32e347b5d97e2b9607067f3ae5bcb71da

    SHA512

    324e8043ce70e5f49c16e2ca5e24cc2c6e7f3486076ef53148964b66d9b4f7d793cc4c3fa5a28ca170ff6bf6b4de5e748bd7e7df177f0f643c473e58eec9087c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Viewer.exe
    Filesize

    707KB

    MD5

    95e63e48cfcdb769f0971d0f6dc4cc98

    SHA1

    993577e8f00a0ca9d55150c0698d109ab97c4da7

    SHA256

    7e09520e58b1573a1b905e34c95054c04c6c635276a2044fb83341faee05491a

    SHA512

    16630e7845d5277fcbe939280174aae395b378e24a60cd196b72bffd86861bf3bd9f797a2b1bef2991043762288c4d135d26bb71938d8225cd5fd51542465eed

    Download Submit
  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    1KB

    MD5

    90b64b6d6c0d3903c452127f2245e766

    SHA1

    23c50744ab5e78dcd79e7f94d33292e8783a016f

    SHA256

    7b474b65079503f5b4959174dfe5ecb65e64e447b9afa884b0ac1efd464c36ac

    SHA512

    5cf4c65b991d9c1034d10bd5675ea63047d742e2cbe6f41a84163a70f5d760dbbc4c9a9080b16562159173b360aab94e806d381c42201bf6f468aaf37955d4d5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    1KB

    MD5

    1e71d3008f4d6bdeb2a2b2f2f8fefe8a

    SHA1

    9adda87416f8854097823e7d287a82e58a5ea12c

    SHA256

    580a39eaa5b84a228437b4d5c29e736773a7045863829e4b8131fbfe8b9f2dfc

    SHA512

    b555ee35f49cf215556d1e26777b7486d5bcaadf0364f06e355d104e31fc982185412513562eb84676aa0e2ae6d6655d26ba982f57de827f4dd7f5cddb8cd607

    Download Submit
  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    494B

    MD5

    628bff5db0bd41231909a6789212bf51

    SHA1

    f00e16b40ba06fdd5640f8645ce8c946cb374432

    SHA256

    d82aa46b62de26e2e99b945c3523ec18e24d17d0e84a5d57c72af08d29296999

    SHA512

    dda21445fcaab86a7bdce1766c9fb4195c6bf81977e3ebd89c628a38eb2eb6d551779b538b9f4cf284fa79eaf30cee633c93b7ddc8b78a1f1944b7acb21a9abf

    Download Submit
  • memory/388-154-0x000000001B740000-0x000000001B750000-memory.dmp
    Filesize

    64KB

    Download
  • memory/388-25-0x0000000000910000-0x00000000009C8000-memory.dmp
    Filesize

    736KB

    Download
  • memory/388-26-0x00007FFC8D6B0000-0x00007FFC8E171000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/388-159-0x00007FFC8D6B0000-0x00007FFC8E171000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/388-28-0x000000001B740000-0x000000001B750000-memory.dmp
    Filesize

    64KB

    Download
  • memory/388-35-0x000000001C480000-0x000000001C9A8000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/388-61-0x00007FFC8D6B0000-0x00007FFC8E171000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/388-157-0x000000001B740000-0x000000001B750000-memory.dmp
    Filesize

    64KB

    Download
  • memory/388-155-0x000000001B740000-0x000000001B750000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4732-27-0x00007FFC8D6B0000-0x00007FFC8E171000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4732-1-0x00007FFC8D6B0000-0x00007FFC8E171000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4732-2-0x00000000011C0000-0x00000000011C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4732-0-0x0000000000A90000-0x0000000000B22000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4732-3-0x000000001B790000-0x000000001B7A0000-memory.dmp
    Filesize

    64KB

    Download