Overview
overview
10Static
static
3magic.pois...lk.dat
windows10-2004-x64
3magic.pois...ed.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...cs.hta
windows10-2004-x64
10magic.pois...nt.pdf
windows10-2004-x64
1magic.pois...zg.wav
windows10-2004-x64
6magic.pois...pt.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...es.hta
windows10-2004-x64
10magic.pois...im.vdf
windows10-2004-x64
3magic.pois...ck.wav
windows10-2004-x64
1magic.pois...ff.dat
windows10-2004-x64
3magic.pois...IB.pdf
windows10-2004-x64
1magic.pois...pt.exe
windows10-2004-x64
10magic.pois...ty.wav
windows10-2004-x64
1magic.pois...ye.wav
windows10-2004-x64
6magic.pois...er.exe
windows10-2004-x64
10magic.pois...vw.mp4
windows10-2004-x64
6magic.pois...op.mp4
windows10-2004-x64
6magic.pois...ed.hta
windows10-2004-x64
10magic.pois...ng.exe
windows10-2004-x64
10magic.pois...wn.png
windows10-2004-x64
3magic.pois...ox.hta
windows10-2004-x64
10magic.pois...xw.exe
windows10-2004-x64
10magic.pois...xw.hta
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10Analysis
-
max time kernel
112s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
magic.poisontoolz.com/Avjteuhlk.dat
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
magic.poisontoolz.com/Binded.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
magic.poisontoolz.com/Buildcrypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
magic.poisontoolz.com/Docs.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
magic.poisontoolz.com/Document.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral6
Sample
magic.poisontoolz.com/Evllmzg.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
magic.poisontoolz.com/File1crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral8
Sample
magic.poisontoolz.com/File2crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
magic.poisontoolz.com/Files.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral10
Sample
magic.poisontoolz.com/Jafxaspdhim.vdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
magic.poisontoolz.com/Otcck.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral12
Sample
magic.poisontoolz.com/Pphucxdmff.dat
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
magic.poisontoolz.com/RIB.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral14
Sample
magic.poisontoolz.com/RagCrypt.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
magic.poisontoolz.com/Spaufgty.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral16
Sample
magic.poisontoolz.com/Utsxokye.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
magic.poisontoolz.com/Walter.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral18
Sample
magic.poisontoolz.com/Wjwxkhbvw.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
magic.poisontoolz.com/Wlkubkwdmop.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
magic.poisontoolz.com/binded.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
magic.poisontoolz.com/building.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral22
Sample
magic.poisontoolz.com/down.png
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
magic.poisontoolz.com/fox.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
magic.poisontoolz.com/xw.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
magic.poisontoolz.com/xw.hta
Resource
win10v2004-20231215-en
General
-
Target
magic.poisontoolz.com/File1crypt.exe
-
Size
1.2MB
-
MD5
8ce0ed6f181212eb2e8664a6c4fb1f6d
-
SHA1
866f3fd24d69d21112b36a51c6b96d602a401ec6
-
SHA256
eb316069675e5d7276bcc51542f194145da4c99f0417fd5ccb67f7fedfcc418d
-
SHA512
1bc88d1fd1b734b3e39f92629aaf560cba4dccff73dcde7355750c14d74cd119681aba05ddefb108d0edcf2d17fccff8698bd951818fe4e141b7d96b75ed7f59
-
SSDEEP
24576:55+4xYOwn6t6hLE3E9Vnw9mJ97mPgV20mg/7YbBe7nomSn1aC1Bvb9vcBrmYfjRx:tYOgl9E3uVZJ977/7YbI7nbmr9b1ZYr
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral7/memory/2192-4-0x0000000005A90000-0x0000000005BC6000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-6-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-10-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-14-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-18-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-28-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-38-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-48-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-50-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-52-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-56-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-58-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-54-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-64-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-68-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-66-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-62-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-60-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-46-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-44-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-42-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-40-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-36-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-34-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-32-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-30-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-26-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-24-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-22-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-20-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-16-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-12-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-8-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 behavioral7/memory/2192-5-0x0000000005A90000-0x0000000005BC1000-memory.dmp family_zgrat_v1 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
File1crypt.exedescription pid process target process PID 2192 set thread context of 4360 2192 File1crypt.exe File1crypt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
File1crypt.exeFile1crypt.exedescription pid process Token: SeDebugPrivilege 2192 File1crypt.exe Token: SeDebugPrivilege 4360 File1crypt.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
File1crypt.exedescription pid process target process PID 2192 wrote to memory of 4360 2192 File1crypt.exe File1crypt.exe PID 2192 wrote to memory of 4360 2192 File1crypt.exe File1crypt.exe PID 2192 wrote to memory of 4360 2192 File1crypt.exe File1crypt.exe PID 2192 wrote to memory of 4360 2192 File1crypt.exe File1crypt.exe PID 2192 wrote to memory of 4360 2192 File1crypt.exe File1crypt.exe PID 2192 wrote to memory of 4360 2192 File1crypt.exe File1crypt.exe PID 2192 wrote to memory of 4360 2192 File1crypt.exe File1crypt.exe PID 2192 wrote to memory of 4360 2192 File1crypt.exe File1crypt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exeC:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d