General

  • Target

    magic.poisontoolz.com.zip

  • Size

    27.2MB

  • Sample

    240119-y3w7hsdee7

  • MD5

    a82bf9c19b63778d79f0ba71eb26bebf

  • SHA1

    86f0429c471435086ef5e55a5df55545672a9b22

  • SHA256

    84765d5c0c038297793d431f04f2096bfce69ca41c50696c36bc0f3ba1369c05

  • SHA512

    d0f21a99efce63b9bb0a567d276ecc0ec058b8f2cda12dc8fa3da58379f078e2c79f10bbc153d17cff36873a0da6a1696f837e9d1a7ed6c3bfa5ccb92887dced

  • SSDEEP

    786432:j4oK0cWJ/C70MsxUzD96xPq2jkzeG5+qT:EoZcWsNsxUv96wckF46

Malware Config

Extracted

Family

stealerium

C2

https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q

Targets

    • Target

      magic.poisontoolz.com/Avjteuhlk.dat

    • Size

      2.0MB

    • MD5

      1d94c3237123870dd362f0ea6bde6b75

    • SHA1

      181d94c05d4a5a7daa8398ab99d46aa9264deaaf

    • SHA256

      5a17e507688a1dea216200fd2bfe9fe310edeb24e3ded4a27dc795316bee0abd

    • SHA512

      281c88c4432d6b96885f876f9b0f0102ce9d52086e00dc31055af711d518f839b7e88a9010b735f3d9fec7245c2419a8562bb507e9e465f338957b0762f2d61c

    • SSDEEP

      49152:cNOcM4qpYYGKjpe3eR/htM6j5Ni8yEyRXjz+2BmB69t6sd6WzEa+TPvTTTTdTMM/:/c13VKjOstM6dNsN+Db2zEa+TPvTTTT5

    Score
    3/10
    • Target

      magic.poisontoolz.com/Binded.exe

    • Size

      5.4MB

    • MD5

      8f505e8ec6a2129264b6609d96e68962

    • SHA1

      a4f8e2102645ad87b37c4de7fa45779d3bb70f18

    • SHA256

      59e7180a2a869453fb54d13f04b4eda1a5153659378501fa31b18f862576f800

    • SHA512

      49f4b191e7e7edfb29ebe9c40cc9dc1f57824aff6b166815d9a0bd46e3e883bbf74bccee95469116a522dc850ead3813fb2977b485ead64d37c680e9acb33396

    • SSDEEP

      49152:tl+wZnx28ufF6eE39oRGIOVgdDll+wZnx28uf36eE39oRGIOVgdDp:

    Score
    10/10
    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      magic.poisontoolz.com/Buildcrypt.exe

    • Size

      86KB

    • MD5

      380888258d0c8d18da63e80591a4e0f3

    • SHA1

      70ef5767c29304806ccc4cd136d9c5bfd8dcf403

    • SHA256

      eaaefbc4c960dca1de30c44f0fccbbefdb9c3e0e243e7ff5579316b99206b8e0

    • SHA512

      63104e4e2e6b260522c26a28287684bb8dab433d4b03396e30b478288980d15d4d259d873f1f59eda364ec777bcdc79f481b11890178a012f2bc483497c4e3b3

    • SSDEEP

      1536:2jXsxSiEgiXHZLUQqC0BvUncdRHREWT2fPT3YORK59kx+:KXtiSghvU/86T3YUK5CE

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      magic.poisontoolz.com/Docs.hta

    • Size

      13KB

    • MD5

      1748029e0d263b69facbad619388035b

    • SHA1

      68a59b7c1a84d688b0fa226478fd467ca832cf86

    • SHA256

      7081af3ed8502a3f98fe7907be09d7968e52d378554106de2d10bec091a4f499

    • SHA512

      3fa7cbc5efcc5797c7cdbae7277ecc676c4c979e200dceb3608d971c82863f307376feee31ccda4c17d34441750eae9ec43ee08f1f37e1d6d9bbb8dda489b19a

    • SSDEEP

      384:A/2Fh6MpARzbm4hRqzzbzse/JzzbVsm760ZqezHbqbz4sb4pzm/0Mr8HHzs38Ob3:0

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      magic.poisontoolz.com/Document.pdf

    • Size

      3KB

    • MD5

      80a2593453c09724d152e841a3ff0865

    • SHA1

      c73c293d18aac71c530d69ea03314f064f5c6386

    • SHA256

      71d885fd0734c915b43ed11d45750aa67c53a11d6a95c9c8323d9fd6e3b413cd

    • SHA512

      ff131d439c8e06a789fa82ab7d2640ba87ab03b165f6bbf0d8048baad81c797e45c96000312c37dd5d1a53a2996ce7d3b6ccab09470d52840e4e8344f5b04f67

    Score
    1/10
    • Target

      magic.poisontoolz.com/Evllmzg.wav

    • Size

      2.0MB

    • MD5

      9c30a721dfad77be7702c19149392cbc

    • SHA1

      5078a24c843d5624a283034970f0bc4c0dc723e7

    • SHA256

      3e13cd3586521749b19ea3820ee6cf207734800033d6074b038e149ef6cff289

    • SHA512

      d6a190b24664ea888f54a7549f6891f36ba57318c15944f8d1a32a15e4f2045ce808a25c0ba9160ab0f109910595ad5b037cf7eff9dbcdb5ed5562fca97e2856

    • SSDEEP

      24576:CiEtGkvIUuKnd3UxLT9vyWYBw7dk7effUYQ55MfE8pqzbX+qlfvNe/bxv2jj6:ChtGqISEL5vtz/0BMfjpM1NvY1v2jG

    Score
    6/10
    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      magic.poisontoolz.com/File1crypt.exe

    • Size

      1.2MB

    • MD5

      8ce0ed6f181212eb2e8664a6c4fb1f6d

    • SHA1

      866f3fd24d69d21112b36a51c6b96d602a401ec6

    • SHA256

      eb316069675e5d7276bcc51542f194145da4c99f0417fd5ccb67f7fedfcc418d

    • SHA512

      1bc88d1fd1b734b3e39f92629aaf560cba4dccff73dcde7355750c14d74cd119681aba05ddefb108d0edcf2d17fccff8698bd951818fe4e141b7d96b75ed7f59

    • SSDEEP

      24576:55+4xYOwn6t6hLE3E9Vnw9mJ97mPgV20mg/7YbBe7nomSn1aC1Bvb9vcBrmYfjRx:tYOgl9E3uVZJ977/7YbI7nbmr9b1ZYr

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      magic.poisontoolz.com/File2crypt.exe

    • Size

      2.1MB

    • MD5

      59c9ab244182896361828d4e30d7fe31

    • SHA1

      1cffba028bb2a0f8a6af81610e6fabe31d0fb20b

    • SHA256

      7adb172b0b1772607653b7c685d98281f9dd63dc5a3c8554c886d9b5433b2a7a

    • SHA512

      f92ca8fa70b61c37352b339eb79041a6c6e1c7d04eb985acf18e284d5aa20e66cfee701d8763aa60269248e0daf812bc1cd30669695bf434668be489f944c9d6

    • SSDEEP

      49152:mUnQGWMOd1UCKPOwE7q+WF/S3gDPhSPAXeEPoeL0qYhxD/x:XaXUHGy+Wk3gDhSP5eLG/x

    • Detect ZGRat V1

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      magic.poisontoolz.com/Files.hta

    • Size

      16KB

    • MD5

      806083ae9a40b2b4d5e8e4fc6847a01e

    • SHA1

      55f3aa0ba57d8022509a9009c674b8423294cf59

    • SHA256

      cb458ecfe5f16281e1ccc956a2c4d057e61515cec85db7799e714629dc1bbcc9

    • SHA512

      6a2ba831d4804bb501edd283afe8b33034f26d02d528ec917524132d152ca56911d8c7051b965b756547cc04b3a607154c240c353f9bba10bb6fd13bdbb2c17e

    • SSDEEP

      384:aNQQcl/VSlx+RscIhRscBrkRsctVnRcj9d1yZtqbQMieobcyXefZbcYbfDbcjQ:hlYlx+RscwRsceRsctVRcj9d1+tqkLHE

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      magic.poisontoolz.com/Jafxaspdhim.vdf

    • Size

      2.0MB

    • MD5

      3ed11397115e6c51075ff6b9dc527b96

    • SHA1

      a2a44d2c78a108f5f19706813dcda1030f76a7f8

    • SHA256

      c3845b01f4d06c52a3adc7615c1d5248a9de50ce0ae12fdaf506022e77d15c26

    • SHA512

      468aa230ecf924a2087a29ebfcd08f04fcdba41211807b15303cd5e2bea618748a983f7815e366f1109b0e06185620eb3dc80e99ca8e64d6ecf750a9a76d85b4

    • SSDEEP

      49152:lbIVt1D2S8uag2J9t7rVyuM3qimo0RlFZ9lraYhHW9f:GLx2S8cuNrVyvYRZXraY09f

    Score
    3/10
    • Target

      magic.poisontoolz.com/Otcck.wav

    • Size

      1.1MB

    • MD5

      f36d654482fd55002007c1d517bb0570

    • SHA1

      0073d502c20758eedcd974b885ef7ea68f24d6bc

    • SHA256

      50785ebfe8e8dd43d1b8efc56611371878a61d8d7866e962d92095b09d338f93

    • SHA512

      5f034b0d4e65df85acb008dd0cc5114294644408c2532a535b4f367e3d5b6d1ef7f8ba8afc3bc111164fba7e05a36da31c842673e708e679198140bf6cf45e0a

    • SSDEEP

      24576:ek2FZ8fcs/QYe8a0xafPXL4sbzraP1CdGxZ77AsgfZOR:oZ8ksne8a0xafPXvaPwYUsn

    Score
    1/10
    • Target

      magic.poisontoolz.com/Pphucxdmff.dat

    • Size

      1.2MB

    • MD5

      84028db89090f83807bc7771f1e916b4

    • SHA1

      cf5d79d04273cddea52f2e7084635b8e725eb647

    • SHA256

      9efeb0b2467f02e905cc7920a64898c28999b5e9b5ecc52b44e8e7c03ced0d6b

    • SHA512

      3eadebe6a230102036fb385b4dd456cfd8c2aeb3d86f9a49191672e834f174a60d24e7a252e067276b54f134020f7e5852e3f43991192b062b14d9ac53d140bd

    • SSDEEP

      24576:lWkB5G0jj4I9m0gV8q3eANg5yJaf3po08ykpboEi1EdwF4xsOwjgfc:3vdL9m0a8q3esgUaf3pP0sER26w0k

    Score
    3/10
    • Target

      magic.poisontoolz.com/RIB.pdf

    • Size

      19KB

    • MD5

      ac6f4727f46bff3bd3f71550ae96c15f

    • SHA1

      5966b42c1989bf6886c887a29480bd8a249476ee

    • SHA256

      580b5d3ab9575c944f5f15f42fe82a5024411a68f759ee7137e0403ac2b568e0

    • SHA512

      734a98dd5dad4674bd56b6138a94580be819c77ec3945901053b6c9f9a8bd34f4975f3a71b363ca257bfe0187cebe52bbb65fc262cb59f923396f5c2cebe737a

    • SSDEEP

      384:FuCqoWl70IVuJ9FoXIKCNTV88ffWNbkyWIDgEoeNeNiWz7:ICqoWp0IU924dY8ffWNbbWIwNPz7

    Score
    1/10
    • Target

      magic.poisontoolz.com/RagCrypt.exe

    • Size

      86KB

    • MD5

      f3ed43acd7d035e8c6035c7d65ec60bf

    • SHA1

      679c01b051cbd42b740a05f0cd2807b16bae5aec

    • SHA256

      136f29247b40b1cd3e65d093fd0529d6115ade980092b6a950d461b5c046daef

    • SHA512

      fc5b4dd5abc2e8e141b25ed4bd77509a0af1ce24b695e44b563ad93192f74c0dd147e4eb0e9da7052459b4dec975d6c99d842f77dc4e002a3631dc27a9ff4db5

    • SSDEEP

      1536:VfVyEwOvOBB/rtSp/r3fGTTNOXrbpCEviigx2hyke70WgY:uElIUfL3p5vC2hykg

    Score
    10/10
    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Suspicious use of SetThreadContext

    • Target

      magic.poisontoolz.com/Spaufgty.wav

    • Size

      3.5MB

    • MD5

      eaef1a862aba17aa2570a06d40f94f31

    • SHA1

      6301c10cd5d8132defa0b7904163d325554efa05

    • SHA256

      8dfae205acee3283d7560520816ee22f9c8b3979bb195a061eb9902c87f32ac4

    • SHA512

      895b7b90e011565b8dfb3f400a73cde213057d90aa6923836bc251679734857af9e419c4d6d80470e71ef5c668a8feb6a54156cbeef8e356e8ed9de999904282

    • SSDEEP

      98304:KGmcpvr4msoFNoUqnvTBgsml/VfyUUT9pM:R/pU6YclUT9pM

    Score
    1/10
    • Target

      magic.poisontoolz.com/Utsxokye.wav

    • Size

      5.4MB

    • MD5

      5644dbee55a0b7626dfb0797a1eed917

    • SHA1

      4056fa95eb21e2bde6211327881f5482e17f428d

    • SHA256

      33db9be8f0cd435f790f3296c46968da15d8b3a2fd9cebaf56717556760a0fa7

    • SHA512

      d4bcc8a8a3895fc913e11ebaf574ed784bfaade75e64adb128470aee463fa067ecfa779912781209ecf8c9d4ea862bea58928869a0e9900957714ba432cc37ba

    • SSDEEP

      98304:htF7EZgolinuxNqL7rw3eGafffoD31VU1cKAqD2mcGa4eYvD8:jF7heinuS7vJffcjUyKhDI

    Score
    6/10
    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      magic.poisontoolz.com/Walter.exe

    • Size

      1.4MB

    • MD5

      00db76730c41df5c707cdbc485c243a0

    • SHA1

      564fbec2ac1e4b3c4375c677b21c978236f84832

    • SHA256

      fee0b2009c3f04988ffee2ee8fe3874397b3458c41996a1c5658c719150c6a34

    • SHA512

      af04c39a6fa56b50c21d89d9bacece75251e94cc76e401afda266029f906905b9193e5be5b914766e0e5873ecf2ab13da3129b4e6cb8692e3b14ca48ed59027d

    • SSDEEP

      24576:1v432itln1e4uYvh+ZlvO9kvL4mucXw9FeV8WAAWrormkyZiCO0Pqo6Dw2P15tjx:Ml1e4zJAc4Tg9FeiAWUqkXaR6Dd5tj7X

    Score
    10/10
    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Suspicious use of SetThreadContext

    • Target

      magic.poisontoolz.com/Wjwxkhbvw.mp4

    • Size

      2.0MB

    • MD5

      542f475742f3c0a5b9cd5dae1b92fd1f

    • SHA1

      c1ecc864c0540ec9a75422d2761c34c0bf6fec11

    • SHA256

      204a743c9d70c652ffbbd1562e7cc5223eb50c81c382b2ca2f0364324b7d81c0

    • SHA512

      c5affce6e460d6222a35e4e480e115ad71426af061d9f8461a4f5829c9f573e24400cec31d6cbd87660e887858a83d2f54c4882ab8c0a9c219a0525c8b3452dd

    • SSDEEP

      49152:8q1fRjNoA7YIAAUSHypZWt1WVq5NSg/D5mUfaZ4TNeZxLCm:tjuieAJPCVqiw7aZ4e

    Score
    6/10
    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      magic.poisontoolz.com/Wlkubkwdmop.mp4

    • Size

      1.1MB

    • MD5

      262aeec0ec3e7a9c7e3b03af9028b046

    • SHA1

      f8e489c89d4a375f489ffd963b083a6b6df78169

    • SHA256

      194fcade84169c0c2ad523047cba81de2c6ebbdb4ea00585846aae915c354cd6

    • SHA512

      1b84201277dbf212ca4d5dbf6ea70efbedc0f4a253bd4bf88e5192df7ddacd0e16fb7c85c3da8203177403ac28ed0315a0dfe89d7231399758beb9645b4b4169

    • SSDEEP

      24576:cWOOs+OgGKCh8jq+pLGb2dl4ByUwMqgqkADEn:eOjXGKPjqcLtl4B6pW

    Score
    6/10
    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Target

      magic.poisontoolz.com/binded.hta

    • Size

      10KB

    • MD5

      5bd249833a7dd24a0bcc183bff7f84f4

    • SHA1

      79eefa12df99d15efcb006bc75c3ca8fd1eeef70

    • SHA256

      938763b3b3fd082f84a6ec2f7ed3d02a8b665a3e0d0a75e814652e290e56590e

    • SHA512

      c7048a4933e257a706cfbb85c7f726eee8851015bf60fa427264fd3c16dcd7437e74c75b179b3160389bdf2ae4ee1e6b585840d99e13ee17e3a010e2e9c82574

    • SSDEEP

      192:n5x7G7b+B+lz+RXN36UOq6ghokeKkTkF8Yjp/f+Ex:nj7G7b+ow40qwmm86x

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      magic.poisontoolz.com/building.exe

    • Size

      56KB

    • MD5

      5a51a3f11d523aaad894e4e8381f169a

    • SHA1

      1f6800f862e2238e36b50c2b4b900d9e3cdaecd3

    • SHA256

      cae11157e682ada9c356e2fb622357d687b41e1e3c3f4300a54a70be0165e4ce

    • SHA512

      655ad8134408970703bfdf65e82ebe8b3c8d2e0f90e6189962fe03755f1b365832d34673717803c4a5f5598170120dc776de83a7e291090b75b41e6b7b59eda0

    • SSDEEP

      1536:UrkoiEd1v3nxQ3DRI07olrgt+mtfTQZPpQh82:UZiEd1v3nKlI07MYTtf8ZPpQ+2

    Score
    10/10
    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Suspicious use of SetThreadContext

    • Target

      magic.poisontoolz.com/down.PNG

    • Size

      36KB

    • MD5

      b0570dc898e4caef1c31481767c93385

    • SHA1

      ab772068e1e0a0aefa7334d382072f91db446e25

    • SHA256

      d80033b02fcc41a625583f83c3a9e977dc11167be2c3c68638e7191fcd6cc7e5

    • SHA512

      2d454e48fad3e952d0afa7451db4f28c2f3ccc7c7637e18d9c2bbac0bdd3f6f980a1aee5f0e02d315bcd2cde4c35c598088d853d5147c11b4cd199006ad97d42

    • SSDEEP

      768:wLeQ33EpnRdrTlLmSPBaJ/GsSaHhyIY95d9udlQndfXKaFSHgaVTWz/4EVG/xei:WHoRF+SaoIYjdAbKZygDUEVqJ

    Score
    3/10
    • Target

      magic.poisontoolz.com/fox.hta

    • Size

      13KB

    • MD5

      2d4c16415e96b123166fb5791f589a74

    • SHA1

      c7d04a986c3382cddb58b17f06dd372c66100e6c

    • SHA256

      87c90c1f78c42da7be295cbd0ae9523d975753f65e0e8e7ef5f63ee38da43454

    • SHA512

      7091e2fa62697a038e7ab8a80298df6922d54e8cd1a9f51d22c33e02d3fafbdaad312645eede17c6d7c5177bec4cae97a3c40aeb7b619d8dcc4b59f09d312012

    • SSDEEP

      384:9FQ1lDQfQnqQ1yySMyEFo08QkuVTHTAWX4HRXz6:/Q1lDQfQnqQ1yySMyEFo08QkuVTHTAWB

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      magic.poisontoolz.com/xw.exe

    • Size

      28KB

    • MD5

      07863605fe5206c0f5eaf8f119ba71fc

    • SHA1

      8747e0363ab081bdcdb212f64cf32db3b25e61fc

    • SHA256

      098b1c1b7ccb2be3f1f1d98e430d3c2f81ae56075a03b58ac6c24c77fc62d920

    • SHA512

      1b7fa923c1c7fb883cb3d5e2dc53a728c67df74abf5f9d9c8c2391f779faa94efeaa40e66062968d602eef813a1f639d19d0b7e6bf8028bafd11dd08a0d956f5

    • SSDEEP

      768:2AqFNDcBN3SBldDiHjQW/081aBV/Rqcbdqb:2AacBN3YW8y08grqcb4b

    • Detect ZGRat V1

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      magic.poisontoolz.com/xw.hta

    • Size

      9KB

    • MD5

      7fd67141143ee183f9fddde7fc7e02de

    • SHA1

      bb658b3ec2437bd8ec9600e726433139aae85e3d

    • SHA256

      f29e50d354f1449c3cfc01c31f14268a29ef70051041bc14b6b71b94bce5b517

    • SHA512

      baded976e98ea76b9813128dc1947abae8c915fdeeb6619dff2bc88efcb31e1ee291494faa2405caa283ba6268101622932b569be02e0172b4c4a69481375ae5

    • SSDEEP

      192:uIBkEA+PkPeI19n1dNDQ9nNNsV2OilDQ9nysHSUlDvdltdEVqQKdDp4Re1JQ/ffs:u20oc1C+nQrzk

    • Detect ZGRat V1

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

    • Target

      magic.poisontoolz.com/yagacrypt.exe

    • Size

      56KB

    • MD5

      0abd42634db4f4fb3bbbcaa066413d68

    • SHA1

      074f62ae3b24d775f09e98e81e857e6f1be05f3b

    • SHA256

      a2ac7be629121924985b42fdf34380efe12be78a3d8665b625a2eae80808cff4

    • SHA512

      578ef89e668c8e38e66353f485be2b90ebf8ec21bcf0f5de0ec65ee0710b55256876f28219e540beaf2dea41224c51355dc9a39930cfa3b231b3450264ac47d2

    • SSDEEP

      1536:rytceGvzLlLa2kSrZRPV1mcKAgSfTl3Blpgr1dv:rytceGv3lLa2LRPVBvfR3TpgBdv

    Score
    10/10
    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

Score
3/10

behavioral2

zgratrat
Score
10/10

behavioral3

zgratcollectionratspywarestealer
Score
10/10

behavioral4

zgratcollectionratspywarestealer
Score
10/10

behavioral5

Score
1/10

behavioral6

Score
6/10

behavioral7

zgratratspywarestealer
Score
10/10

behavioral8

stealeriumzgratcollectionratspywarestealer
Score
10/10

behavioral9

zgratcollectionratspywarestealer
Score
10/10

behavioral10

Score
3/10

behavioral11

Score
1/10

behavioral12

Score
3/10

behavioral13

Score
1/10

behavioral14

zgratrat
Score
10/10

behavioral15

Score
1/10

behavioral16

Score
6/10

behavioral17

zgratrat
Score
10/10

behavioral18

Score
6/10

behavioral19

Score
6/10

behavioral20

zgratratspywarestealer
Score
10/10

behavioral21

zgratrat
Score
10/10

behavioral22

Score
3/10

behavioral23

zgratratspywarestealer
Score
10/10

behavioral24

stealeriumzgratcollectionratspywarestealer
Score
10/10

behavioral25

stealeriumzgratcollectionratspywarestealer
Score
10/10

behavioral26

zgratrat
Score
10/10