Overview
overview
10Static
static
3magic.pois...lk.dat
windows10-2004-x64
3magic.pois...ed.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...cs.hta
windows10-2004-x64
10magic.pois...nt.pdf
windows10-2004-x64
1magic.pois...zg.wav
windows10-2004-x64
6magic.pois...pt.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...es.hta
windows10-2004-x64
10magic.pois...im.vdf
windows10-2004-x64
3magic.pois...ck.wav
windows10-2004-x64
1magic.pois...ff.dat
windows10-2004-x64
3magic.pois...IB.pdf
windows10-2004-x64
1magic.pois...pt.exe
windows10-2004-x64
10magic.pois...ty.wav
windows10-2004-x64
1magic.pois...ye.wav
windows10-2004-x64
6magic.pois...er.exe
windows10-2004-x64
10magic.pois...vw.mp4
windows10-2004-x64
6magic.pois...op.mp4
windows10-2004-x64
6magic.pois...ed.hta
windows10-2004-x64
10magic.pois...ng.exe
windows10-2004-x64
10magic.pois...wn.png
windows10-2004-x64
3magic.pois...ox.hta
windows10-2004-x64
10magic.pois...xw.exe
windows10-2004-x64
10magic.pois...xw.hta
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10Analysis
-
max time kernel
14s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
magic.poisontoolz.com/Avjteuhlk.dat
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
magic.poisontoolz.com/Binded.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
magic.poisontoolz.com/Buildcrypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
magic.poisontoolz.com/Docs.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
magic.poisontoolz.com/Document.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral6
Sample
magic.poisontoolz.com/Evllmzg.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
magic.poisontoolz.com/File1crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral8
Sample
magic.poisontoolz.com/File2crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
magic.poisontoolz.com/Files.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral10
Sample
magic.poisontoolz.com/Jafxaspdhim.vdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
magic.poisontoolz.com/Otcck.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral12
Sample
magic.poisontoolz.com/Pphucxdmff.dat
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
magic.poisontoolz.com/RIB.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral14
Sample
magic.poisontoolz.com/RagCrypt.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
magic.poisontoolz.com/Spaufgty.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral16
Sample
magic.poisontoolz.com/Utsxokye.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
magic.poisontoolz.com/Walter.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral18
Sample
magic.poisontoolz.com/Wjwxkhbvw.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
magic.poisontoolz.com/Wlkubkwdmop.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
magic.poisontoolz.com/binded.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
magic.poisontoolz.com/building.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral22
Sample
magic.poisontoolz.com/down.png
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
magic.poisontoolz.com/fox.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
magic.poisontoolz.com/xw.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
magic.poisontoolz.com/xw.hta
Resource
win10v2004-20231215-en
General
-
Target
magic.poisontoolz.com/File2crypt.exe
-
Size
2.1MB
-
MD5
59c9ab244182896361828d4e30d7fe31
-
SHA1
1cffba028bb2a0f8a6af81610e6fabe31d0fb20b
-
SHA256
7adb172b0b1772607653b7c685d98281f9dd63dc5a3c8554c886d9b5433b2a7a
-
SHA512
f92ca8fa70b61c37352b339eb79041a6c6e1c7d04eb985acf18e284d5aa20e66cfee701d8763aa60269248e0daf812bc1cd30669695bf434668be489f944c9d6
-
SSDEEP
49152:mUnQGWMOd1UCKPOwE7q+WF/S3gDPhSPAXeEPoeL0qYhxD/x:XaXUHGy+Wk3gDhSP5eLG/x
Malware Config
Extracted
stealerium
https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral8/memory/3856-4-0x0000000005160000-0x000000000536A000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-5-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-10-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-14-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-18-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-24-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-28-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-34-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-36-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-40-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-44-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-48-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-50-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-54-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-58-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-62-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-66-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-68-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-64-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-60-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-56-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-52-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-46-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-42-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-38-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-32-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-30-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-26-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-22-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-20-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-16-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-12-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-8-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 behavioral8/memory/3856-6-0x0000000005160000-0x0000000005364000-memory.dmp family_zgrat_v1 -
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
File2crypt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File2crypt.exe Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File2crypt.exe Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File2crypt.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 icanhazip.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
File2crypt.exedescription pid process target process PID 3856 set thread context of 2148 3856 File2crypt.exe File2crypt.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
File2crypt.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 File2crypt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier File2crypt.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
File2crypt.exepid process 2148 File2crypt.exe 2148 File2crypt.exe 2148 File2crypt.exe 2148 File2crypt.exe 2148 File2crypt.exe 2148 File2crypt.exe 2148 File2crypt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
File2crypt.exeFile2crypt.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3856 File2crypt.exe Token: SeDebugPrivilege 2148 File2crypt.exe Token: SeSecurityPrivilege 4944 msiexec.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
File2crypt.exeFile2crypt.execmd.exedescription pid process target process PID 3856 wrote to memory of 2148 3856 File2crypt.exe File2crypt.exe PID 3856 wrote to memory of 2148 3856 File2crypt.exe File2crypt.exe PID 3856 wrote to memory of 2148 3856 File2crypt.exe File2crypt.exe PID 3856 wrote to memory of 2148 3856 File2crypt.exe File2crypt.exe PID 3856 wrote to memory of 2148 3856 File2crypt.exe File2crypt.exe PID 3856 wrote to memory of 2148 3856 File2crypt.exe File2crypt.exe PID 3856 wrote to memory of 2148 3856 File2crypt.exe File2crypt.exe PID 3856 wrote to memory of 2148 3856 File2crypt.exe File2crypt.exe PID 2148 wrote to memory of 468 2148 File2crypt.exe cmd.exe PID 2148 wrote to memory of 468 2148 File2crypt.exe cmd.exe PID 2148 wrote to memory of 468 2148 File2crypt.exe cmd.exe PID 468 wrote to memory of 4684 468 cmd.exe chcp.com PID 468 wrote to memory of 4684 468 cmd.exe chcp.com PID 468 wrote to memory of 4684 468 cmd.exe chcp.com PID 468 wrote to memory of 1596 468 cmd.exe netsh.exe PID 468 wrote to memory of 1596 468 cmd.exe netsh.exe PID 468 wrote to memory of 1596 468 cmd.exe netsh.exe PID 468 wrote to memory of 448 468 cmd.exe findstr.exe PID 468 wrote to memory of 448 468 cmd.exe findstr.exe PID 468 wrote to memory of 448 468 cmd.exe findstr.exe -
outlook_office_path 1 IoCs
Processes:
File2crypt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File2crypt.exe -
outlook_win_path 1 IoCs
Processes:
File2crypt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 File2crypt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exeC:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2148 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵PID:5056
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:4684
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile1⤵PID:1596
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4944
-
C:\Windows\SysWOW64\findstr.exefindstr All1⤵PID:448
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid1⤵PID:3332
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:4564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\Browsers\Firefox\Bookmarks.txt
MD5d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\Directories\OneDrive.txt
Filesize25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\Directories\Startup.txt
Filesize24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
Filesize
1KB
MD58e3475a0678a63edc092dda39fc9bb2d
SHA1589ce3f8ba1797024f6c0ab06b248c67cf739cac
SHA256d2ab564b653221a1ee2f60b56437698ea39533e8aaff5773eb4506c3be227099
SHA512fe263f2624d887400570d3ccaf1c6e79b239f62a1ca20e3bca6c928056be7c84b405ad80dc4bd91b073272a76852ddc8032d586142e272db2beafafd1a0ad96f
-
Filesize
1KB
MD56038c6816d6cd11f7c460c00b2238fc6
SHA1d4e182455aa02a3363a6ebb5cb0ea987b2507b69
SHA256856b43e957bd20204f0f34b645706175d6eeb18120e135eccae5d39d99780ca0
SHA512b00b0ce6fb86f2298c18c6ce748f71882aefe6d995b61e82494edb4647849596537b7e40c8dd7e64d5eae24d2496063d6aa9a24d9ce5a354ca94a85bb6ee4278
-
C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\System\Process.txt
Filesize4KB
MD5cd3f1b337705d2b32c17dc4adc97a2b4
SHA145e048692510d63446ee2a5ecabe106b89306bd4
SHA256d8d763b2649f655efa9b5cf7eb82b56be32bfafbc098577736de35e875d87a48
SHA5122bd512434dd7066dab77565136dcbe73d869191ef4f09bc458529af3d0b4c88c5898fcdbd644dad80259e12cbefffe36d26a3fe2c252b47117c1a29a7cc9200f
-
C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\System\ProductKey.txt
Filesize29B
MD571eb5479298c7afc6d126fa04d2a9bde
SHA1a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA5127c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd
-
Filesize
19B
MD52c293d26d4955cc89b70566a8fd0b371
SHA120849f72e81215208fc91c52ba2caf57993466bb
SHA256499481147f342836968aa4af73d5280686a48c91eb9837eda1a1cfcf07f59121
SHA5122b82cfed0ce3d49376eacdede47010965d529cc45d8c26d9d0bc96df56005f65eef608c177d21fd073284cb3985fbf238bd7ef66638b968977e6a7d01148810a