General
-
Target
506cd587919d4bb571795ea1c1e64d80.bin
-
Size
1.3MB
-
Sample
240118-bvk3ysabcr
-
MD5
eb92066fe91df4b60cd9bfdc67fc277c
-
SHA1
0281f0ff008da81ee29958f2d73b1ae5f1164660
-
SHA256
914e752bafce2960257ed71a9cdb217ca0ac62da5d8010f3e4611e1ca892f153
-
SHA512
68cdeaf0bd2c2c600eff08d0f1b6741567067bca6451c594f146731d831b15af0185a03effe40f61529d400aa286e288e70422b3ee6a0997168c1c8aee813287
-
SSDEEP
24576:zdetS7NwMJsrOUaB4tWMiYu2iRX+/QRxr4wDOqBbiT3e+UBNSVVUkN:4UVJeOUaSwV2nxwDOqBbO3Mc5N
Malware Config
Targets
-
-
Target
1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe
-
Size
2.2MB
-
MD5
506cd587919d4bb571795ea1c1e64d80
-
SHA1
c04c19373251eb40197975fbf901ff802e92e22d
-
SHA256
1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256
-
SHA512
ab9577410cb2eb1e0fd3e71c2c5d3d13a38563db70e7017734f5067171442b561b1297bf339ddfa54ae266c720a383c7e4c7a63b23a6cdb433651b7ed8cbc30b
-
SSDEEP
24576:2TbBv5rUyXVl6fDEs25370/5lJHI2cxaSzXykO0eW66f3XEWpEmEQ/2VmCthZ2yt:IBJEECrHjxdXZsUWzuUQME46LMEQ70
Score10/10-
Detect ZGRat V1
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1