Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2024 03:55

General

  • Target

    31118351b8b0db68e9c1bc3ad1da8e7c.exe

  • Size

    2.5MB

  • MD5

    31118351b8b0db68e9c1bc3ad1da8e7c

  • SHA1

    adb461d4d199ea7367b65b185f47a10401e2ba97

  • SHA256

    1d72f409f9089ba57b151f5836df00ba70480f1530c67b1a2c81fc9b50b7cbe2

  • SHA512

    a9a3575d49a76da29df558023ea3d79e5fa9216c6ec58dc802b98ec12dfcaea71ae74b863626860f81aebd4ed1f5b7f76f90bdd84dc5a7e1741eb2bf52b73aa1

  • SSDEEP

    49152:ywoUZ8Cps0BJDmN8wjp+ps8M+1tgVO8jrHWvrYz93513:E0LSNFUps8M+MVvr2zMn

Malware Config

Extracted

Family

stealerium

C2

https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q

Signatures

  • Detect ZGRat V1 34 IoCs
  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
    "C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
      C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
      2⤵
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:2900
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5060
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2888
  • C:\Windows\SysWOW64\findstr.exe
    findstr All
    1⤵
      PID:1316
    • C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      1⤵
        PID:2444
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        1⤵
          PID:2208
        • C:\Windows\system32\msiexec.exe
          C:\Windows\system32\msiexec.exe /V
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1592
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show networks mode=bssid
          1⤵
            PID:2812
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            1⤵
              PID:4308

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\31118351b8b0db68e9c1bc3ad1da8e7c.exe.log

              Filesize

              927B

              MD5

              4a911455784f74e368a4c2c7876d76f4

              SHA1

              a1700a0849ffb4f26671eb76da2489946b821c34

              SHA256

              264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

              SHA512

              4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

            • C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\Browsers\Firefox\Bookmarks.txt

              Filesize

              105B

              MD5

              2e9d094dda5cdc3ce6519f75943a4ff4

              SHA1

              5d989b4ac8b699781681fe75ed9ef98191a5096c

              SHA256

              c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

              SHA512

              d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

            • C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\Directories\OneDrive.txt

              Filesize

              25B

              MD5

              966247eb3ee749e21597d73c4176bd52

              SHA1

              1e9e63c2872cef8f015d4b888eb9f81b00a35c79

              SHA256

              8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

              SHA512

              bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

            • C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\Directories\Startup.txt

              Filesize

              24B

              MD5

              68c93da4981d591704cea7b71cebfb97

              SHA1

              fd0f8d97463cd33892cc828b4ad04e03fc014fa6

              SHA256

              889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

              SHA512

              63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

            • C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\Directories\Videos.txt

              Filesize

              23B

              MD5

              1fddbf1169b6c75898b86e7e24bc7c1f

              SHA1

              d2091060cb5191ff70eb99c0088c182e80c20f8c

              SHA256

              a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

              SHA512

              20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

            • C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\System\Apps.txt

              Filesize

              5KB

              MD5

              fc1ec0cabb320b59693fa9a94fbbb93b

              SHA1

              9ce87f376d9c0d241a100651135143e57bd023e1

              SHA256

              b2a09980fccbdaa79f42dde31228d126f41fe2b0b32545e0fafae0ba1c5ba06d

              SHA512

              b6de2cc74128e8c524babbc4e27972d0a567016173fb88fa3da4ebbf1e11555e76c1d5a2e1cccaed9024e5b88ce05cb22b33a21f13f53dfd6bee525c2e51f14d

            • C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\System\Debug.txt

              Filesize

              1KB

              MD5

              5d9d558d32e85594270bd75e186cad1d

              SHA1

              c973d2d8acdfefddc3923307da263956cc17704a

              SHA256

              a9b91eb4ce0b80379e6f24850efd92f81288c7b0ed48ea6141288f50586dfaa5

              SHA512

              97d14a1f08f3994201d90f1218ac8ca3703857b6c39eca70e56bd9a8a0373318a85fd356842042b06fc75ca707e6dc417910843be02e22c470501b787ea61af3

            • C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\System\Process.txt

              Filesize

              4KB

              MD5

              3c041b2c43ea3fa8828531752d9d49c8

              SHA1

              c5b043a18d7d6241a3723f695dcee9c3592e61b7

              SHA256

              a2b076c8d6a90494575fd72634950a8a935508da60c94af948ca122f6c3ce423

              SHA512

              0ae3d3bbd3d1f6c1f27d9c71aadcbcb81566911c7ca693b642ef7f0dfbdf056831a3c49edd7421011a617a42786114bdd86e562851cc5d7de4198255e1cfe25e

            • C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\System\ProductKey.txt

              Filesize

              29B

              MD5

              71eb5479298c7afc6d126fa04d2a9bde

              SHA1

              a9b3d5505cf9f84bb6c2be2acece53cb40075113

              SHA256

              f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

              SHA512

              7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

            • C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\msgid.dat

              Filesize

              19B

              MD5

              8ff206bf155528e619cfd07ebac2d138

              SHA1

              1f06982c13bb37fdf4f9dd2e61af74f7ad6a0ed8

              SHA256

              f19ccfd5d45bd3857e407cddc6304078dc45d8ca36f1467b701cdd934e93d107

              SHA512

              ffef90c962f2ff8bafda1256fc386f0bc6f98b1b10f07001feaad34a4f29df52b8bc28fad6cec80b7296d5cf4fdd3b908e93ac88a4532afb96f0b1b2bc7eee68

            • memory/1692-68-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-10-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-18-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-20-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-22-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-24-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-26-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-28-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-30-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-32-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-34-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-36-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-40-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-42-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-44-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-48-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-52-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-54-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-50-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-60-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-58-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-56-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-46-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-38-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-62-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-64-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-1-0x0000000075330000-0x0000000075AE0000-memory.dmp

              Filesize

              7.7MB

            • memory/1692-66-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-937-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

              Filesize

              4KB

            • memory/1692-939-0x0000000005770000-0x00000000057BC000-memory.dmp

              Filesize

              304KB

            • memory/1692-938-0x0000000005890000-0x0000000005A32000-memory.dmp

              Filesize

              1.6MB

            • memory/1692-940-0x0000000007A70000-0x0000000008014000-memory.dmp

              Filesize

              5.6MB

            • memory/1692-0-0x0000000000800000-0x0000000000A7E000-memory.dmp

              Filesize

              2.5MB

            • memory/1692-2-0x00000000053A0000-0x00000000053B0000-memory.dmp

              Filesize

              64KB

            • memory/1692-3-0x0000000005420000-0x000000000562A000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-945-0x0000000075330000-0x0000000075AE0000-memory.dmp

              Filesize

              7.7MB

            • memory/1692-14-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-4-0x0000000006860000-0x0000000006A6A000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-6-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-16-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-8-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-5-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/1692-12-0x0000000006860000-0x0000000006A64000-memory.dmp

              Filesize

              2.0MB

            • memory/2900-944-0x0000000000400000-0x0000000000592000-memory.dmp

              Filesize

              1.6MB

            • memory/2900-1006-0x0000000007670000-0x0000000007702000-memory.dmp

              Filesize

              584KB

            • memory/2900-946-0x0000000005640000-0x00000000056A6000-memory.dmp

              Filesize

              408KB

            • memory/2900-957-0x0000000006D40000-0x0000000006D5E000-memory.dmp

              Filesize

              120KB

            • memory/2900-1146-0x0000000005730000-0x0000000005740000-memory.dmp

              Filesize

              64KB

            • memory/2900-1149-0x0000000006E30000-0x0000000006EAA000-memory.dmp

              Filesize

              488KB

            • memory/2900-952-0x0000000005BD0000-0x0000000005C62000-memory.dmp

              Filesize

              584KB

            • memory/2900-953-0x0000000005C60000-0x0000000005C86000-memory.dmp

              Filesize

              152KB

            • memory/2900-1222-0x00000000071B0000-0x0000000007262000-memory.dmp

              Filesize

              712KB

            • memory/2900-948-0x0000000005730000-0x0000000005740000-memory.dmp

              Filesize

              64KB

            • memory/2900-1242-0x0000000005730000-0x0000000005740000-memory.dmp

              Filesize

              64KB

            • memory/2900-956-0x0000000006D20000-0x0000000006D28000-memory.dmp

              Filesize

              32KB

            • memory/2900-954-0x0000000005C90000-0x0000000005C98000-memory.dmp

              Filesize

              32KB

            • memory/2900-1224-0x0000000005730000-0x0000000005740000-memory.dmp

              Filesize

              64KB

            • memory/2900-1225-0x0000000006F00000-0x0000000006F22000-memory.dmp

              Filesize

              136KB

            • memory/2900-1226-0x0000000008590000-0x00000000088E4000-memory.dmp

              Filesize

              3.3MB

            • memory/2900-947-0x0000000075330000-0x0000000075AE0000-memory.dmp

              Filesize

              7.7MB

            • memory/2900-1238-0x0000000007370000-0x000000000737A000-memory.dmp

              Filesize

              40KB

            • memory/2900-1239-0x0000000075330000-0x0000000075AE0000-memory.dmp

              Filesize

              7.7MB

            • memory/2900-1240-0x0000000005730000-0x0000000005740000-memory.dmp

              Filesize

              64KB

            • memory/2900-1241-0x0000000005730000-0x0000000005740000-memory.dmp

              Filesize

              64KB

            • memory/2900-955-0x0000000006D10000-0x0000000006D1A000-memory.dmp

              Filesize

              40KB