Overview
overview
10Static
static
3magic.pois...lk.dat
windows10-2004-x64
3magic.pois...ed.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...cs.hta
windows10-2004-x64
10magic.pois...nt.pdf
windows10-2004-x64
1magic.pois...zg.wav
windows10-2004-x64
6magic.pois...pt.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...es.hta
windows10-2004-x64
10magic.pois...im.vdf
windows10-2004-x64
3magic.pois...ck.wav
windows10-2004-x64
1magic.pois...ff.dat
windows10-2004-x64
3magic.pois...IB.pdf
windows10-2004-x64
1magic.pois...pt.exe
windows10-2004-x64
10magic.pois...ty.wav
windows10-2004-x64
1magic.pois...ye.wav
windows10-2004-x64
6magic.pois...er.exe
windows10-2004-x64
10magic.pois...vw.mp4
windows10-2004-x64
6magic.pois...op.mp4
windows10-2004-x64
6magic.pois...ed.hta
windows10-2004-x64
10magic.pois...ng.exe
windows10-2004-x64
10magic.pois...wn.png
windows10-2004-x64
3magic.pois...ox.hta
windows10-2004-x64
10magic.pois...xw.exe
windows10-2004-x64
10magic.pois...xw.hta
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10General
-
Target
magic.poisontoolz.com.zip
-
Size
27.2MB
-
Sample
240119-y3w7hsdee7
-
MD5
a82bf9c19b63778d79f0ba71eb26bebf
-
SHA1
86f0429c471435086ef5e55a5df55545672a9b22
-
SHA256
84765d5c0c038297793d431f04f2096bfce69ca41c50696c36bc0f3ba1369c05
-
SHA512
d0f21a99efce63b9bb0a567d276ecc0ec058b8f2cda12dc8fa3da58379f078e2c79f10bbc153d17cff36873a0da6a1696f837e9d1a7ed6c3bfa5ccb92887dced
-
SSDEEP
786432:j4oK0cWJ/C70MsxUzD96xPq2jkzeG5+qT:EoZcWsNsxUv96wckF46
Static task
static1
Behavioral task
behavioral1
Sample
magic.poisontoolz.com/Avjteuhlk.dat
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
magic.poisontoolz.com/Binded.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
magic.poisontoolz.com/Buildcrypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
magic.poisontoolz.com/Docs.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
magic.poisontoolz.com/Document.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral6
Sample
magic.poisontoolz.com/Evllmzg.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
magic.poisontoolz.com/File1crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral8
Sample
magic.poisontoolz.com/File2crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
magic.poisontoolz.com/Files.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral10
Sample
magic.poisontoolz.com/Jafxaspdhim.vdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
magic.poisontoolz.com/Otcck.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral12
Sample
magic.poisontoolz.com/Pphucxdmff.dat
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
magic.poisontoolz.com/RIB.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral14
Sample
magic.poisontoolz.com/RagCrypt.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
magic.poisontoolz.com/Spaufgty.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral16
Sample
magic.poisontoolz.com/Utsxokye.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
magic.poisontoolz.com/Walter.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral18
Sample
magic.poisontoolz.com/Wjwxkhbvw.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
magic.poisontoolz.com/Wlkubkwdmop.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
magic.poisontoolz.com/binded.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
magic.poisontoolz.com/building.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral22
Sample
magic.poisontoolz.com/down.png
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
magic.poisontoolz.com/fox.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
magic.poisontoolz.com/xw.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
magic.poisontoolz.com/xw.hta
Resource
win10v2004-20231215-en
Malware Config
Extracted
stealerium
https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q
Targets
-
-
Target
magic.poisontoolz.com/Avjteuhlk.dat
-
Size
2.0MB
-
MD5
1d94c3237123870dd362f0ea6bde6b75
-
SHA1
181d94c05d4a5a7daa8398ab99d46aa9264deaaf
-
SHA256
5a17e507688a1dea216200fd2bfe9fe310edeb24e3ded4a27dc795316bee0abd
-
SHA512
281c88c4432d6b96885f876f9b0f0102ce9d52086e00dc31055af711d518f839b7e88a9010b735f3d9fec7245c2419a8562bb507e9e465f338957b0762f2d61c
-
SSDEEP
49152:cNOcM4qpYYGKjpe3eR/htM6j5Ni8yEyRXjz+2BmB69t6sd6WzEa+TPvTTTTdTMM/:/c13VKjOstM6dNsN+Db2zEa+TPvTTTT5
Score3/10 -
-
-
Target
magic.poisontoolz.com/Binded.exe
-
Size
5.4MB
-
MD5
8f505e8ec6a2129264b6609d96e68962
-
SHA1
a4f8e2102645ad87b37c4de7fa45779d3bb70f18
-
SHA256
59e7180a2a869453fb54d13f04b4eda1a5153659378501fa31b18f862576f800
-
SHA512
49f4b191e7e7edfb29ebe9c40cc9dc1f57824aff6b166815d9a0bd46e3e883bbf74bccee95469116a522dc850ead3813fb2977b485ead64d37c680e9acb33396
-
SSDEEP
49152:tl+wZnx28ufF6eE39oRGIOVgdDll+wZnx28uf36eE39oRGIOVgdDp:
-
Detect ZGRat V1
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
magic.poisontoolz.com/Buildcrypt.exe
-
Size
86KB
-
MD5
380888258d0c8d18da63e80591a4e0f3
-
SHA1
70ef5767c29304806ccc4cd136d9c5bfd8dcf403
-
SHA256
eaaefbc4c960dca1de30c44f0fccbbefdb9c3e0e243e7ff5579316b99206b8e0
-
SHA512
63104e4e2e6b260522c26a28287684bb8dab433d4b03396e30b478288980d15d4d259d873f1f59eda364ec777bcdc79f481b11890178a012f2bc483497c4e3b3
-
SSDEEP
1536:2jXsxSiEgiXHZLUQqC0BvUncdRHREWT2fPT3YORK59kx+:KXtiSghvU/86T3YUK5CE
Score10/10-
Detect ZGRat V1
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
magic.poisontoolz.com/Docs.hta
-
Size
13KB
-
MD5
1748029e0d263b69facbad619388035b
-
SHA1
68a59b7c1a84d688b0fa226478fd467ca832cf86
-
SHA256
7081af3ed8502a3f98fe7907be09d7968e52d378554106de2d10bec091a4f499
-
SHA512
3fa7cbc5efcc5797c7cdbae7277ecc676c4c979e200dceb3608d971c82863f307376feee31ccda4c17d34441750eae9ec43ee08f1f37e1d6d9bbb8dda489b19a
-
SSDEEP
384:A/2Fh6MpARzbm4hRqzzbzse/JzzbVsm760ZqezHbqbz4sb4pzm/0Mr8HHzs38Ob3:0
Score10/10-
Detect ZGRat V1
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
magic.poisontoolz.com/Document.pdf
-
Size
3KB
-
MD5
80a2593453c09724d152e841a3ff0865
-
SHA1
c73c293d18aac71c530d69ea03314f064f5c6386
-
SHA256
71d885fd0734c915b43ed11d45750aa67c53a11d6a95c9c8323d9fd6e3b413cd
-
SHA512
ff131d439c8e06a789fa82ab7d2640ba87ab03b165f6bbf0d8048baad81c797e45c96000312c37dd5d1a53a2996ce7d3b6ccab09470d52840e4e8344f5b04f67
Score1/10 -
-
-
Target
magic.poisontoolz.com/Evllmzg.wav
-
Size
2.0MB
-
MD5
9c30a721dfad77be7702c19149392cbc
-
SHA1
5078a24c843d5624a283034970f0bc4c0dc723e7
-
SHA256
3e13cd3586521749b19ea3820ee6cf207734800033d6074b038e149ef6cff289
-
SHA512
d6a190b24664ea888f54a7549f6891f36ba57318c15944f8d1a32a15e4f2045ce808a25c0ba9160ab0f109910595ad5b037cf7eff9dbcdb5ed5562fca97e2856
-
SSDEEP
24576:CiEtGkvIUuKnd3UxLT9vyWYBw7dk7effUYQ55MfE8pqzbX+qlfvNe/bxv2jj6:ChtGqISEL5vtz/0BMfjpM1NvY1v2jG
Score6/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
magic.poisontoolz.com/File1crypt.exe
-
Size
1.2MB
-
MD5
8ce0ed6f181212eb2e8664a6c4fb1f6d
-
SHA1
866f3fd24d69d21112b36a51c6b96d602a401ec6
-
SHA256
eb316069675e5d7276bcc51542f194145da4c99f0417fd5ccb67f7fedfcc418d
-
SHA512
1bc88d1fd1b734b3e39f92629aaf560cba4dccff73dcde7355750c14d74cd119681aba05ddefb108d0edcf2d17fccff8698bd951818fe4e141b7d96b75ed7f59
-
SSDEEP
24576:55+4xYOwn6t6hLE3E9Vnw9mJ97mPgV20mg/7YbBe7nomSn1aC1Bvb9vcBrmYfjRx:tYOgl9E3uVZJ977/7YbI7nbmr9b1ZYr
-
Detect ZGRat V1
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
magic.poisontoolz.com/File2crypt.exe
-
Size
2.1MB
-
MD5
59c9ab244182896361828d4e30d7fe31
-
SHA1
1cffba028bb2a0f8a6af81610e6fabe31d0fb20b
-
SHA256
7adb172b0b1772607653b7c685d98281f9dd63dc5a3c8554c886d9b5433b2a7a
-
SHA512
f92ca8fa70b61c37352b339eb79041a6c6e1c7d04eb985acf18e284d5aa20e66cfee701d8763aa60269248e0daf812bc1cd30669695bf434668be489f944c9d6
-
SSDEEP
49152:mUnQGWMOd1UCKPOwE7q+WF/S3gDPhSPAXeEPoeL0qYhxD/x:XaXUHGy+Wk3gDhSP5eLG/x
Score10/10-
Detect ZGRat V1
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
magic.poisontoolz.com/Files.hta
-
Size
16KB
-
MD5
806083ae9a40b2b4d5e8e4fc6847a01e
-
SHA1
55f3aa0ba57d8022509a9009c674b8423294cf59
-
SHA256
cb458ecfe5f16281e1ccc956a2c4d057e61515cec85db7799e714629dc1bbcc9
-
SHA512
6a2ba831d4804bb501edd283afe8b33034f26d02d528ec917524132d152ca56911d8c7051b965b756547cc04b3a607154c240c353f9bba10bb6fd13bdbb2c17e
-
SSDEEP
384:aNQQcl/VSlx+RscIhRscBrkRsctVnRcj9d1yZtqbQMieobcyXefZbcYbfDbcjQ:hlYlx+RscwRsceRsctVRcj9d1+tqkLHE
Score10/10-
Detect ZGRat V1
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
magic.poisontoolz.com/Jafxaspdhim.vdf
-
Size
2.0MB
-
MD5
3ed11397115e6c51075ff6b9dc527b96
-
SHA1
a2a44d2c78a108f5f19706813dcda1030f76a7f8
-
SHA256
c3845b01f4d06c52a3adc7615c1d5248a9de50ce0ae12fdaf506022e77d15c26
-
SHA512
468aa230ecf924a2087a29ebfcd08f04fcdba41211807b15303cd5e2bea618748a983f7815e366f1109b0e06185620eb3dc80e99ca8e64d6ecf750a9a76d85b4
-
SSDEEP
49152:lbIVt1D2S8uag2J9t7rVyuM3qimo0RlFZ9lraYhHW9f:GLx2S8cuNrVyvYRZXraY09f
Score3/10 -
-
-
Target
magic.poisontoolz.com/Otcck.wav
-
Size
1.1MB
-
MD5
f36d654482fd55002007c1d517bb0570
-
SHA1
0073d502c20758eedcd974b885ef7ea68f24d6bc
-
SHA256
50785ebfe8e8dd43d1b8efc56611371878a61d8d7866e962d92095b09d338f93
-
SHA512
5f034b0d4e65df85acb008dd0cc5114294644408c2532a535b4f367e3d5b6d1ef7f8ba8afc3bc111164fba7e05a36da31c842673e708e679198140bf6cf45e0a
-
SSDEEP
24576:ek2FZ8fcs/QYe8a0xafPXL4sbzraP1CdGxZ77AsgfZOR:oZ8ksne8a0xafPXvaPwYUsn
Score1/10 -
-
-
Target
magic.poisontoolz.com/Pphucxdmff.dat
-
Size
1.2MB
-
MD5
84028db89090f83807bc7771f1e916b4
-
SHA1
cf5d79d04273cddea52f2e7084635b8e725eb647
-
SHA256
9efeb0b2467f02e905cc7920a64898c28999b5e9b5ecc52b44e8e7c03ced0d6b
-
SHA512
3eadebe6a230102036fb385b4dd456cfd8c2aeb3d86f9a49191672e834f174a60d24e7a252e067276b54f134020f7e5852e3f43991192b062b14d9ac53d140bd
-
SSDEEP
24576:lWkB5G0jj4I9m0gV8q3eANg5yJaf3po08ykpboEi1EdwF4xsOwjgfc:3vdL9m0a8q3esgUaf3pP0sER26w0k
Score3/10 -
-
-
Target
magic.poisontoolz.com/RIB.pdf
-
Size
19KB
-
MD5
ac6f4727f46bff3bd3f71550ae96c15f
-
SHA1
5966b42c1989bf6886c887a29480bd8a249476ee
-
SHA256
580b5d3ab9575c944f5f15f42fe82a5024411a68f759ee7137e0403ac2b568e0
-
SHA512
734a98dd5dad4674bd56b6138a94580be819c77ec3945901053b6c9f9a8bd34f4975f3a71b363ca257bfe0187cebe52bbb65fc262cb59f923396f5c2cebe737a
-
SSDEEP
384:FuCqoWl70IVuJ9FoXIKCNTV88ffWNbkyWIDgEoeNeNiWz7:ICqoWp0IU924dY8ffWNbbWIwNPz7
Score1/10 -
-
-
Target
magic.poisontoolz.com/RagCrypt.exe
-
Size
86KB
-
MD5
f3ed43acd7d035e8c6035c7d65ec60bf
-
SHA1
679c01b051cbd42b740a05f0cd2807b16bae5aec
-
SHA256
136f29247b40b1cd3e65d093fd0529d6115ade980092b6a950d461b5c046daef
-
SHA512
fc5b4dd5abc2e8e141b25ed4bd77509a0af1ce24b695e44b563ad93192f74c0dd147e4eb0e9da7052459b4dec975d6c99d842f77dc4e002a3631dc27a9ff4db5
-
SSDEEP
1536:VfVyEwOvOBB/rtSp/r3fGTTNOXrbpCEviigx2hyke70WgY:uElIUfL3p5vC2hykg
-
Detect ZGRat V1
-
Suspicious use of SetThreadContext
-
-
-
Target
magic.poisontoolz.com/Spaufgty.wav
-
Size
3.5MB
-
MD5
eaef1a862aba17aa2570a06d40f94f31
-
SHA1
6301c10cd5d8132defa0b7904163d325554efa05
-
SHA256
8dfae205acee3283d7560520816ee22f9c8b3979bb195a061eb9902c87f32ac4
-
SHA512
895b7b90e011565b8dfb3f400a73cde213057d90aa6923836bc251679734857af9e419c4d6d80470e71ef5c668a8feb6a54156cbeef8e356e8ed9de999904282
-
SSDEEP
98304:KGmcpvr4msoFNoUqnvTBgsml/VfyUUT9pM:R/pU6YclUT9pM
Score1/10 -
-
-
Target
magic.poisontoolz.com/Utsxokye.wav
-
Size
5.4MB
-
MD5
5644dbee55a0b7626dfb0797a1eed917
-
SHA1
4056fa95eb21e2bde6211327881f5482e17f428d
-
SHA256
33db9be8f0cd435f790f3296c46968da15d8b3a2fd9cebaf56717556760a0fa7
-
SHA512
d4bcc8a8a3895fc913e11ebaf574ed784bfaade75e64adb128470aee463fa067ecfa779912781209ecf8c9d4ea862bea58928869a0e9900957714ba432cc37ba
-
SSDEEP
98304:htF7EZgolinuxNqL7rw3eGafffoD31VU1cKAqD2mcGa4eYvD8:jF7heinuS7vJffcjUyKhDI
Score6/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
magic.poisontoolz.com/Walter.exe
-
Size
1.4MB
-
MD5
00db76730c41df5c707cdbc485c243a0
-
SHA1
564fbec2ac1e4b3c4375c677b21c978236f84832
-
SHA256
fee0b2009c3f04988ffee2ee8fe3874397b3458c41996a1c5658c719150c6a34
-
SHA512
af04c39a6fa56b50c21d89d9bacece75251e94cc76e401afda266029f906905b9193e5be5b914766e0e5873ecf2ab13da3129b4e6cb8692e3b14ca48ed59027d
-
SSDEEP
24576:1v432itln1e4uYvh+ZlvO9kvL4mucXw9FeV8WAAWrormkyZiCO0Pqo6Dw2P15tjx:Ml1e4zJAc4Tg9FeiAWUqkXaR6Dd5tj7X
-
Detect ZGRat V1
-
Suspicious use of SetThreadContext
-
-
-
Target
magic.poisontoolz.com/Wjwxkhbvw.mp4
-
Size
2.0MB
-
MD5
542f475742f3c0a5b9cd5dae1b92fd1f
-
SHA1
c1ecc864c0540ec9a75422d2761c34c0bf6fec11
-
SHA256
204a743c9d70c652ffbbd1562e7cc5223eb50c81c382b2ca2f0364324b7d81c0
-
SHA512
c5affce6e460d6222a35e4e480e115ad71426af061d9f8461a4f5829c9f573e24400cec31d6cbd87660e887858a83d2f54c4882ab8c0a9c219a0525c8b3452dd
-
SSDEEP
49152:8q1fRjNoA7YIAAUSHypZWt1WVq5NSg/D5mUfaZ4TNeZxLCm:tjuieAJPCVqiw7aZ4e
Score6/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
magic.poisontoolz.com/Wlkubkwdmop.mp4
-
Size
1.1MB
-
MD5
262aeec0ec3e7a9c7e3b03af9028b046
-
SHA1
f8e489c89d4a375f489ffd963b083a6b6df78169
-
SHA256
194fcade84169c0c2ad523047cba81de2c6ebbdb4ea00585846aae915c354cd6
-
SHA512
1b84201277dbf212ca4d5dbf6ea70efbedc0f4a253bd4bf88e5192df7ddacd0e16fb7c85c3da8203177403ac28ed0315a0dfe89d7231399758beb9645b4b4169
-
SSDEEP
24576:cWOOs+OgGKCh8jq+pLGb2dl4ByUwMqgqkADEn:eOjXGKPjqcLtl4B6pW
Score6/10-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
magic.poisontoolz.com/binded.hta
-
Size
10KB
-
MD5
5bd249833a7dd24a0bcc183bff7f84f4
-
SHA1
79eefa12df99d15efcb006bc75c3ca8fd1eeef70
-
SHA256
938763b3b3fd082f84a6ec2f7ed3d02a8b665a3e0d0a75e814652e290e56590e
-
SHA512
c7048a4933e257a706cfbb85c7f726eee8851015bf60fa427264fd3c16dcd7437e74c75b179b3160389bdf2ae4ee1e6b585840d99e13ee17e3a010e2e9c82574
-
SSDEEP
192:n5x7G7b+B+lz+RXN36UOq6ghokeKkTkF8Yjp/f+Ex:nj7G7b+ow40qwmm86x
-
Detect ZGRat V1
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
magic.poisontoolz.com/building.exe
-
Size
56KB
-
MD5
5a51a3f11d523aaad894e4e8381f169a
-
SHA1
1f6800f862e2238e36b50c2b4b900d9e3cdaecd3
-
SHA256
cae11157e682ada9c356e2fb622357d687b41e1e3c3f4300a54a70be0165e4ce
-
SHA512
655ad8134408970703bfdf65e82ebe8b3c8d2e0f90e6189962fe03755f1b365832d34673717803c4a5f5598170120dc776de83a7e291090b75b41e6b7b59eda0
-
SSDEEP
1536:UrkoiEd1v3nxQ3DRI07olrgt+mtfTQZPpQh82:UZiEd1v3nKlI07MYTtf8ZPpQ+2
-
Detect ZGRat V1
-
Suspicious use of SetThreadContext
-
-
-
Target
magic.poisontoolz.com/down.PNG
-
Size
36KB
-
MD5
b0570dc898e4caef1c31481767c93385
-
SHA1
ab772068e1e0a0aefa7334d382072f91db446e25
-
SHA256
d80033b02fcc41a625583f83c3a9e977dc11167be2c3c68638e7191fcd6cc7e5
-
SHA512
2d454e48fad3e952d0afa7451db4f28c2f3ccc7c7637e18d9c2bbac0bdd3f6f980a1aee5f0e02d315bcd2cde4c35c598088d853d5147c11b4cd199006ad97d42
-
SSDEEP
768:wLeQ33EpnRdrTlLmSPBaJ/GsSaHhyIY95d9udlQndfXKaFSHgaVTWz/4EVG/xei:WHoRF+SaoIYjdAbKZygDUEVqJ
Score3/10 -
-
-
Target
magic.poisontoolz.com/fox.hta
-
Size
13KB
-
MD5
2d4c16415e96b123166fb5791f589a74
-
SHA1
c7d04a986c3382cddb58b17f06dd372c66100e6c
-
SHA256
87c90c1f78c42da7be295cbd0ae9523d975753f65e0e8e7ef5f63ee38da43454
-
SHA512
7091e2fa62697a038e7ab8a80298df6922d54e8cd1a9f51d22c33e02d3fafbdaad312645eede17c6d7c5177bec4cae97a3c40aeb7b619d8dcc4b59f09d312012
-
SSDEEP
384:9FQ1lDQfQnqQ1yySMyEFo08QkuVTHTAWX4HRXz6:/Q1lDQfQnqQ1yySMyEFo08QkuVTHTAWB
-
Detect ZGRat V1
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
magic.poisontoolz.com/xw.exe
-
Size
28KB
-
MD5
07863605fe5206c0f5eaf8f119ba71fc
-
SHA1
8747e0363ab081bdcdb212f64cf32db3b25e61fc
-
SHA256
098b1c1b7ccb2be3f1f1d98e430d3c2f81ae56075a03b58ac6c24c77fc62d920
-
SHA512
1b7fa923c1c7fb883cb3d5e2dc53a728c67df74abf5f9d9c8c2391f779faa94efeaa40e66062968d602eef813a1f639d19d0b7e6bf8028bafd11dd08a0d956f5
-
SSDEEP
768:2AqFNDcBN3SBldDiHjQW/081aBV/Rqcbdqb:2AacBN3YW8y08grqcb4b
Score10/10-
Detect ZGRat V1
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
magic.poisontoolz.com/xw.hta
-
Size
9KB
-
MD5
7fd67141143ee183f9fddde7fc7e02de
-
SHA1
bb658b3ec2437bd8ec9600e726433139aae85e3d
-
SHA256
f29e50d354f1449c3cfc01c31f14268a29ef70051041bc14b6b71b94bce5b517
-
SHA512
baded976e98ea76b9813128dc1947abae8c915fdeeb6619dff2bc88efcb31e1ee291494faa2405caa283ba6268101622932b569be02e0172b4c4a69481375ae5
-
SSDEEP
192:uIBkEA+PkPeI19n1dNDQ9nNNsV2OilDQ9nysHSUlDvdltdEVqQKdDp4Re1JQ/ffs:u20oc1C+nQrzk
Score10/10-
Detect ZGRat V1
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
magic.poisontoolz.com/yagacrypt.exe
-
Size
56KB
-
MD5
0abd42634db4f4fb3bbbcaa066413d68
-
SHA1
074f62ae3b24d775f09e98e81e857e6f1be05f3b
-
SHA256
a2ac7be629121924985b42fdf34380efe12be78a3d8665b625a2eae80808cff4
-
SHA512
578ef89e668c8e38e66353f485be2b90ebf8ec21bcf0f5de0ec65ee0710b55256876f28219e540beaf2dea41224c51355dc9a39930cfa3b231b3450264ac47d2
-
SSDEEP
1536:rytceGvzLlLa2kSrZRPV1mcKAgSfTl3Blpgr1dv:rytceGv3lLa2LRPVBvfR3TpgBdv
-
Detect ZGRat V1
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-