Overview

overview

10

Static

static

3

VSInstaller.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VSInstaller.exe

  • Size

    12.3MB

  • Sample

    240114-xbnwdscfen

  • MD5

    44c43d23bc75efb50bc6a095e17861e1

  • SHA1

    60838d7a115c9aa23ddf39ddee322c044e359c58

  • SHA256

    2759d31bcf93143c760e809f1097b5b7a3194cc8ce43704c6c59a20ad5c1c079

  • SHA512

    aa0acda3a85fa11b1e03eb28f9e1186aeae8766eb1bf18523379ab8e52d486ad536ec0954d1f9972d81a107b0f779bb358dd790b21e585c8e32ff1d596e55b76

  • SSDEEP

    393216:tg8+fg+g/6JghrmIaAlypnKRs2/xFEcKAmv:tgdgZ/lhrvRypnoxhNmv

Score
10/10
zgratevasionpersistencepyinstallerrat

Malware Config

Targets

    • Target

      VSInstaller.exe

    • Size

      12.3MB

    • MD5

      44c43d23bc75efb50bc6a095e17861e1

    • SHA1

      60838d7a115c9aa23ddf39ddee322c044e359c58

    • SHA256

      2759d31bcf93143c760e809f1097b5b7a3194cc8ce43704c6c59a20ad5c1c079

    • SHA512

      aa0acda3a85fa11b1e03eb28f9e1186aeae8766eb1bf18523379ab8e52d486ad536ec0954d1f9972d81a107b0f779bb358dd790b21e585c8e32ff1d596e55b76

    • SSDEEP

      393216:tg8+fg+g/6JghrmIaAlypnKRs2/xFEcKAmv:tgdgZ/lhrvRypnoxhNmv

    Score
    10/10
    zgratevasionpersistencepyinstallerrat

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Creates new service(s)

      persistence

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks