Malware Analysis Report

2025-06-15 19:52

Sample ID 240115-fk5f3ahgdp
Target b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553
SHA256 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553
Tags
zgrat rat lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553

Threat Level: Known bad

The file b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553 was found to be: Known bad.

Malicious Activity Summary

zgrat rat lumma stealer

Detect ZGRat V1

Zgrat family

Lumma Stealer

ZGRat

.NET Reactor proctector

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-15 04:56

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Zgrat family

zgrat

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 04:56

Reported

2024-01-15 05:01

Platform

win7-20231215-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2732 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\WerFault.exe
PID 2732 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\WerFault.exe
PID 2732 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\WerFault.exe
PID 2732 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe

"C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 88

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Network

N/A

Files

memory/2288-1-0x0000000074270000-0x000000007495E000-memory.dmp

memory/2288-0-0x0000000000BF0000-0x0000000000FDE000-memory.dmp

memory/2288-2-0x0000000074270000-0x000000007495E000-memory.dmp

memory/2288-3-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2288-4-0x0000000005590000-0x00000000057B4000-memory.dmp

memory/2288-5-0x00000000068E0000-0x0000000006A72000-memory.dmp

memory/2288-14-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2288-17-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2288-16-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2732-23-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2732-34-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2288-33-0x0000000074270000-0x000000007495E000-memory.dmp

memory/2732-31-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2732-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2732-27-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2732-25-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2732-22-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2732-21-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2288-20-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2288-19-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2288-18-0x0000000006D60000-0x0000000006E60000-memory.dmp

memory/2288-15-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2288-13-0x0000000000300000-0x0000000000310000-memory.dmp

memory/2288-12-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2288-11-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2288-10-0x0000000004D00000-0x0000000004D40000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 b73838ab928886005682c80089b68142
SHA1 e1a15d0a0394b6c2208d9d4cdbf640a58eab6f8d
SHA256 5c0c8b948221f78b8e7a5f94cf39851e1a82e5749805c01a0fb64c84bebf1c85
SHA512 ee52dc4ef70a6e635c7b0fbc86d852ed47d2654468c9cbafd1f83f8101812b677953c170f2f4239ebd225a97b5c616470649956f34ed963c752d3a8cccb9484e

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 04:56

Reported

2024-01-15 05:02

Platform

win10-20231215-en

Max time kernel

289s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

ZGRat

rat zgrat

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4836 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4836 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4836 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4836 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4836 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4836 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4836 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4836 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe

"C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 928

Network

Country Destination Domain Proto
US 8.8.8.8:53 quitcabinshiffers.site udp
US 104.21.53.218:443 quitcabinshiffers.site tcp
US 8.8.8.8:53 goddirtybrilliancece.fun udp
US 104.21.85.88:443 goddirtybrilliancece.fun tcp
US 8.8.8.8:53 88.85.21.104.in-addr.arpa udp
US 8.8.8.8:53 218.53.21.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/4836-1-0x00000000003B0000-0x000000000079E000-memory.dmp

memory/4836-0-0x0000000073440000-0x0000000073B2E000-memory.dmp

memory/4836-2-0x0000000005020000-0x00000000050BC000-memory.dmp

memory/4836-3-0x0000000073440000-0x0000000073B2E000-memory.dmp

memory/4836-4-0x0000000005100000-0x0000000005110000-memory.dmp

memory/4836-5-0x0000000005410000-0x0000000005634000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 0618ee732cfe3675e34fc6517bd0ad5a
SHA1 68734ad93a3558a9d08ece52eaff88ec4eed7c9d
SHA256 040571bcd6562f8a320d1894f29e477d03ffa64487d2c3f06e434449ac1f0124
SHA512 1b4b2606a83a331f8a89c81b39f5ae9c6218da00d20b3c60e0434e5ee9509b8aaae82f2ab570603aae3b66546cc291a83cdd719d7c83a4d31eb70a7b7730f93f

memory/4836-15-0x0000000005100000-0x0000000005110000-memory.dmp

memory/4836-16-0x0000000005100000-0x0000000005110000-memory.dmp

memory/4836-17-0x0000000005100000-0x0000000005110000-memory.dmp

memory/4836-14-0x0000000005100000-0x0000000005110000-memory.dmp

memory/2588-21-0x0000000000400000-0x0000000000497000-memory.dmp

memory/4836-20-0x0000000006BE0000-0x0000000006CE0000-memory.dmp

memory/2588-27-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/2588-26-0x0000000000400000-0x0000000000497000-memory.dmp

memory/4836-25-0x0000000073440000-0x0000000073B2E000-memory.dmp

memory/2588-24-0x0000000000400000-0x0000000000497000-memory.dmp

memory/4836-19-0x0000000006BE0000-0x0000000006CE0000-memory.dmp

memory/4836-18-0x0000000006BE0000-0x0000000006CE0000-memory.dmp

memory/4836-13-0x0000000005100000-0x0000000005110000-memory.dmp

memory/4836-12-0x0000000001170000-0x0000000001180000-memory.dmp

memory/4836-6-0x0000000006760000-0x00000000068F2000-memory.dmp

memory/2588-28-0x0000000000400000-0x0000000000497000-memory.dmp