Analysis

  • max time kernel
    5s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 20:19

General

  • Target

    magic.poisontoolz.com/RagCrypt.exe

  • Size

    86KB

  • MD5

    f3ed43acd7d035e8c6035c7d65ec60bf

  • SHA1

    679c01b051cbd42b740a05f0cd2807b16bae5aec

  • SHA256

    136f29247b40b1cd3e65d093fd0529d6115ade980092b6a950d461b5c046daef

  • SHA512

    fc5b4dd5abc2e8e141b25ed4bd77509a0af1ce24b695e44b563ad93192f74c0dd147e4eb0e9da7052459b4dec975d6c99d842f77dc4e002a3631dc27a9ff4db5

  • SSDEEP

    1536:VfVyEwOvOBB/rtSp/r3fGTTNOXrbpCEviigx2hyke70WgY:uElIUfL3p5vC2hykg

Score
10/10

Malware Config

Signatures

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:352
    • C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
      C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
      2⤵
        PID:2524
      • C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
        C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
        2⤵
          PID:4212

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RagCrypt.exe.log

        Filesize

        1KB

        MD5

        c3941d9fa38f1717d5cecd7a2ca71667

        SHA1

        33b5362675383b58b4166ed9f9a61e5aa6768d2e

        SHA256

        f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256

        SHA512

        98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

      • C:\Users\Admin\AppData\Local\Temp\Data\CreditCards.txt

        Filesize

        238B

        MD5

        0f5f7a38759e578c92bcf62c45d80b8a

        SHA1

        211e70ede55cce5bf67f685d85cbd030a8517d2b

        SHA256

        39059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc

        SHA512

        8130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d

      • C:\Users\Admin\AppData\Local\Temp\Data\Downloads.txt

        Filesize

        234B

        MD5

        ae0f7fab163139c661e576fe0af08651

        SHA1

        7545ab94360fd93f2209021b4cecabb92592be27

        SHA256

        832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657

        SHA512

        a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b

      • memory/352-1-0x00000000751F0000-0x00000000759A0000-memory.dmp

        Filesize

        7.7MB

      • memory/352-0-0x00000000001A0000-0x00000000001BC000-memory.dmp

        Filesize

        112KB

      • memory/352-2-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

        Filesize

        64KB

      • memory/352-3-0x0000000005660000-0x0000000005796000-memory.dmp

        Filesize

        1.2MB

      • memory/352-11-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-19-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-25-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-33-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-39-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-49-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-57-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-65-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-67-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-63-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-61-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-59-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-55-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-53-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-51-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-47-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-45-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-43-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-41-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-37-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-35-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-31-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-29-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-27-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-23-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-21-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-17-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-15-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-13-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-9-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-7-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-5-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-4-0x0000000005660000-0x0000000005790000-memory.dmp

        Filesize

        1.2MB

      • memory/352-938-0x0000000005A70000-0x0000000005ABC000-memory.dmp

        Filesize

        304KB

      • memory/352-937-0x00000000059A0000-0x0000000005A6E000-memory.dmp

        Filesize

        824KB

      • memory/352-936-0x00000000057A0000-0x00000000057A1000-memory.dmp

        Filesize

        4KB

      • memory/352-939-0x0000000006250000-0x00000000067F4000-memory.dmp

        Filesize

        5.6MB

      • memory/352-943-0x00000000751F0000-0x00000000759A0000-memory.dmp

        Filesize

        7.7MB

      • memory/2524-945-0x0000000000400000-0x0000000000578000-memory.dmp

        Filesize

        1.5MB

      • memory/2524-944-0x00000000751F0000-0x00000000759A0000-memory.dmp

        Filesize

        7.7MB

      • memory/2524-948-0x0000000005620000-0x0000000005630000-memory.dmp

        Filesize

        64KB

      • memory/2524-947-0x0000000005460000-0x00000000054C6000-memory.dmp

        Filesize

        408KB

      • memory/2524-946-0x00000000053C0000-0x0000000005452000-memory.dmp

        Filesize

        584KB

      • memory/2524-949-0x0000000006300000-0x000000000630A000-memory.dmp

        Filesize

        40KB

      • memory/2524-950-0x00000000087C0000-0x0000000008810000-memory.dmp

        Filesize

        320KB

      • memory/2524-990-0x00000000751F0000-0x00000000759A0000-memory.dmp

        Filesize

        7.7MB