Analysis Overview
SHA256
89f9caea29343d0a92b7a2cf4c3d675fe36ed7559f1f5fb389d8ee616023d1da
Threat Level: Known bad
The file f18bb1edd3ae7b63144e96132ce9aefb.bin was found to be: Known bad.
Malicious Activity Summary
ZGRat
SectopRAT payload
SectopRAT
Zgrat family
Detect ZGRat V1
Loads dropped DLL
Drops startup file
.NET Reactor proctector
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-14 04:02
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Zgrat family
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-14 04:01
Reported
2024-01-14 04:04
Platform
win7-20231129-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\897b63dc56623c54120c95340a7e8c416786dbc18bb03dae3300ab2fd57e928a.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1712 set thread context of 2656 | N/A | C:\Users\Admin\AppData\Local\Temp\897b63dc56623c54120c95340a7e8c416786dbc18bb03dae3300ab2fd57e928a.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\897b63dc56623c54120c95340a7e8c416786dbc18bb03dae3300ab2fd57e928a.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\897b63dc56623c54120c95340a7e8c416786dbc18bb03dae3300ab2fd57e928a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\897b63dc56623c54120c95340a7e8c416786dbc18bb03dae3300ab2fd57e928a.exe
"C:\Users\Admin\AppData\Local\Temp\897b63dc56623c54120c95340a7e8c416786dbc18bb03dae3300ab2fd57e928a.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 736
Network
| Country | Destination | Domain | Proto |
| RU | 194.26.29.153:15648 | tcp |
Files
memory/1712-0-0x0000000074440000-0x0000000074B2E000-memory.dmp
memory/1712-1-0x0000000001340000-0x00000000019AE000-memory.dmp
memory/1712-2-0x0000000074440000-0x0000000074B2E000-memory.dmp
memory/1712-3-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-4-0x00000000057B0000-0x0000000005A10000-memory.dmp
memory/1712-5-0x0000000006B40000-0x0000000006CD2000-memory.dmp
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 5b6a5655c58306d685a1f7ad321e17e3 |
| SHA1 | 8b17616540e4e130f4d873a8c0a5d1e960a6d08f |
| SHA256 | f9e63d9095a927c510420d9a9c97a8489e11570ae09e46efcf0738bd10630354 |
| SHA512 | d0cc0cfceb35a35f47d67b3ac1cdc73992b9b45506e2166879ef2b8319917167d2582c78672dd89a276e1c7ea0075df7c32a7e24cea7266bf497ec5a076fcf54 |
memory/1712-13-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-14-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-12-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-11-0x0000000000950000-0x0000000000960000-memory.dmp
memory/1712-10-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-16-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-17-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-20-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/2656-21-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/2656-31-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/2656-33-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/2656-29-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/2656-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2656-34-0x0000000074440000-0x0000000074B2E000-memory.dmp
memory/2656-26-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/2656-25-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/2656-23-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/1712-19-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-18-0x0000000006ED0000-0x0000000006FD0000-memory.dmp
memory/1712-15-0x00000000012F0000-0x0000000001330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp823C.tmp
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
memory/1712-44-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-45-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-48-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-47-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-46-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-51-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-50-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-49-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-53-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/1712-52-0x0000000006ED0000-0x0000000006FD0000-memory.dmp
memory/1712-54-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/2656-55-0x0000000074440000-0x0000000074B2E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-14 04:01
Reported
2024-01-14 04:04
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Eye_friendly_mode_with_customization.lnk | C:\Users\Admin\AppData\Local\Temp\897b63dc56623c54120c95340a7e8c416786dbc18bb03dae3300ab2fd57e928a.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\897b63dc56623c54120c95340a7e8c416786dbc18bb03dae3300ab2fd57e928a.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4608 set thread context of 3604 | N/A | C:\Users\Admin\AppData\Local\Temp\897b63dc56623c54120c95340a7e8c416786dbc18bb03dae3300ab2fd57e928a.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\897b63dc56623c54120c95340a7e8c416786dbc18bb03dae3300ab2fd57e928a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\897b63dc56623c54120c95340a7e8c416786dbc18bb03dae3300ab2fd57e928a.exe
"C:\Users\Admin\AppData\Local\Temp\897b63dc56623c54120c95340a7e8c416786dbc18bb03dae3300ab2fd57e928a.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| RU | 194.26.29.153:15648 | tcp | |
| US | 8.8.8.8:53 | 153.29.26.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
memory/4608-0-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/4608-1-0x00000000008E0000-0x0000000000F4E000-memory.dmp
memory/4608-2-0x0000000005970000-0x0000000005A0C000-memory.dmp
memory/4608-3-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/4608-4-0x0000000005960000-0x0000000005970000-memory.dmp
memory/4608-5-0x0000000005D80000-0x0000000005FE0000-memory.dmp
memory/4608-6-0x0000000007110000-0x00000000072A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/4608-12-0x0000000005960000-0x0000000005970000-memory.dmp
memory/4608-13-0x0000000005960000-0x0000000005970000-memory.dmp
memory/4608-14-0x0000000005870000-0x0000000005880000-memory.dmp
memory/4608-15-0x0000000005960000-0x0000000005970000-memory.dmp
memory/4608-16-0x0000000005960000-0x0000000005970000-memory.dmp
memory/4608-17-0x0000000005960000-0x0000000005970000-memory.dmp
memory/4608-18-0x00000000075B0000-0x00000000076B0000-memory.dmp
memory/4608-19-0x00000000075B0000-0x00000000076B0000-memory.dmp
memory/4608-20-0x00000000075B0000-0x00000000076B0000-memory.dmp
memory/3604-21-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/3604-23-0x00000000051D0000-0x0000000005262000-memory.dmp
memory/3604-22-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/4608-24-0x0000000005960000-0x0000000005970000-memory.dmp
memory/4608-25-0x0000000005960000-0x0000000005970000-memory.dmp
memory/3604-26-0x0000000005440000-0x0000000005602000-memory.dmp
memory/3604-27-0x0000000005BC0000-0x0000000006164000-memory.dmp
memory/3604-28-0x00000000052C0000-0x0000000005310000-memory.dmp
memory/3604-29-0x0000000005610000-0x0000000005686000-memory.dmp
memory/3604-30-0x00000000066A0000-0x0000000006BCC000-memory.dmp
memory/3604-31-0x0000000005970000-0x000000000598E000-memory.dmp
memory/3604-32-0x0000000005A80000-0x0000000005AE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF60A.tmp
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\Users\Admin\AppData\Local\Temp\tmpF63C.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
memory/4608-51-0x0000000005960000-0x0000000005970000-memory.dmp
memory/4608-52-0x0000000005960000-0x0000000005970000-memory.dmp
memory/4608-54-0x0000000005960000-0x0000000005970000-memory.dmp
memory/4608-59-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/3604-60-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/3604-61-0x00000000053B0000-0x00000000053C2000-memory.dmp
memory/3604-62-0x0000000005710000-0x000000000574C000-memory.dmp