Overview

overview

10

Static

static

10

76fad3569c...46.exe

windows7-x64

10

76fad3569c...46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2024 09:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76fad3569cffe8e8d91bf06b545ec346.exe

  • Size

    1.5MB

  • MD5

    76fad3569cffe8e8d91bf06b545ec346

  • SHA1

    1b5bf0f630c9c354d80caccf3e4a18342450197a

  • SHA256

    b5943edb5bc6de1fdcee0d555aafb3fcc2e6cdaaec8a5415caaada2328501e83

  • SHA512

    75ab8c69cb6a5b55656341cce8eaf654fd3a37b6b2e2ea48f1cafe4a8baf6efbca51c9bebc310564f60393cb56efa5f3a9176b1a6a1f6a1b0634e371b639424d

  • SSDEEP

    24576:Fo8k70TrcnXpatsCu7IfLKZnikPhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRRD:Fo8kQTA5Qw7CSikJo54clgLH+tkWJ0N7

Score
10/10
echelonzgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 35 IoCs
  • Detects Echelon Stealer payload 1 IoCs
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76fad3569cffe8e8d91bf06b545ec346.exe
    "C:\Users\Admin\AppData\Local\Temp\76fad3569cffe8e8d91bf06b545ec346.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\ProgramData\Decoder.exe
      "C:\ProgramData\Decoder.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\system32\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:2592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\ScallyMilano\ProcessList.txt
    Filesize

    199B

    MD5

    969676a2b1fcb6fc71cc226d820f3bcb

    SHA1

    79b2dcdb6c12dcc862b981c214f033ab2e5039b4

    SHA256

    2a7a63d09cfe29832780456975ca3b92356315c225297ee36a5fcffb63e98815

    SHA512

    a241110352831b54d9a5d893f4befd1c600b0b47025a0fc3e1e3663598793c189155913c850b1965f81415601b9eedbfb4b79c4515120c7836c3961593902fad

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\.cmd
    Filesize

    28B

    MD5

    217407484aac2673214337def8886072

    SHA1

    0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

    SHA256

    467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

    SHA512

    8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Decoder.exe
    Filesize

    490KB

    MD5

    c29c0d495ed13e703f433d53bdffdab8

    SHA1

    74ed36e6b6027b61abcfe2956670ffd9de7fd71a

    SHA256

    20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b

    SHA512

    fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426

    Download Submit
  • memory/2204-0-0x0000000000B50000-0x0000000000CD4000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/2204-1-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2204-2-0x000000001A9B0000-0x000000001AA30000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2204-3-0x0000000000AA0000-0x0000000000B16000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2204-15-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2772-44-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-52-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-19-0x00000000049C0000-0x0000000004A00000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2772-20-0x0000000002110000-0x00000000021AA000-memory.dmp
    Filesize

    616KB

    Download
  • memory/2772-21-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-22-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-24-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-26-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-28-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-30-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-32-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-34-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-36-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-38-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-40-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-42-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-17-0x0000000074BD0000-0x00000000752BE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2772-48-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-46-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-50-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-54-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-18-0x00000000049C0000-0x0000000004A00000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2772-56-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-58-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-60-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-62-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-64-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-68-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-66-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-70-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-72-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-74-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-76-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-78-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-80-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-82-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-84-0x0000000002110000-0x00000000021A4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2772-469-0x00000000049C0000-0x0000000004A00000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2772-16-0x0000000004880000-0x000000000491C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2772-521-0x0000000004FA0000-0x0000000005016000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2772-535-0x0000000074BD0000-0x00000000752BE000-memory.dmp
    Filesize

    6.9MB

    Download