Malware Analysis Report

2024-11-30 05:03

Sample ID 240229-f93c1aga83
Target 901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe
SHA256 901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879
Tags
zgrat rat lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879

Threat Level: Known bad

The file 901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe was found to be: Known bad.

Malicious Activity Summary

zgrat rat lumma stealer

Detect ZGRat V1

Zgrat family

ZGRat

Lumma Stealer

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-29 05:35

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Zgrat family

zgrat

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 05:35

Reported

2024-02-29 05:43

Platform

win7-20240220-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe

"C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 560

Network

N/A

Files

memory/2060-1-0x0000000000300000-0x00000000009B6000-memory.dmp

memory/2060-0-0x0000000074A80000-0x000000007516E000-memory.dmp

memory/2060-2-0x0000000004830000-0x0000000004870000-memory.dmp

memory/2060-3-0x0000000074A80000-0x000000007516E000-memory.dmp

memory/2060-4-0x0000000004830000-0x0000000004870000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 05:35

Reported

2024-02-29 05:43

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

ZGRat

rat zgrat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3796 set thread context of 1380 N/A C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3796 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 3796 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 3796 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 3796 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 3796 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 3796 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 3796 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 3796 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 3796 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe

"C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 woodfeetumhblefepoj.shop udp
US 104.21.1.232:443 woodfeetumhblefepoj.shop tcp
US 8.8.8.8:53 232.1.21.104.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3796-1-0x00000000005E0000-0x0000000000C96000-memory.dmp

memory/3796-0-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3796-2-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/3796-3-0x00000000056B0000-0x000000000574C000-memory.dmp

memory/3796-4-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/3796-5-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/3796-6-0x0000000005F00000-0x000000000642C000-memory.dmp

memory/3796-7-0x0000000006A50000-0x0000000007068000-memory.dmp

memory/3796-8-0x0000000006430000-0x0000000006722000-memory.dmp

memory/3796-9-0x0000000006720000-0x00000000068B2000-memory.dmp

memory/3796-15-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/3796-19-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

memory/3796-21-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/1380-32-0x0000000001400000-0x0000000001401000-memory.dmp

memory/1380-31-0x0000000001400000-0x0000000001401000-memory.dmp

memory/1380-30-0x0000000001400000-0x0000000001401000-memory.dmp

memory/1380-29-0x0000000001400000-0x0000000001401000-memory.dmp

memory/1380-28-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3796-27-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/1380-26-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1380-23-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3796-22-0x0000000008340000-0x0000000008440000-memory.dmp

memory/3796-20-0x0000000008340000-0x0000000008440000-memory.dmp

memory/3796-18-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/3796-17-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/3796-16-0x00000000057C0000-0x00000000057D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 3f8f208318fad2f1e845eda475a8e3fd
SHA1 61c13d85e3b766f06409e66733879e4e1d8d8668
SHA256 e16e500d03c560636967b9c2bdea45d6f616349eb2daf3f34b54ef528142758e
SHA512 7267596cb838c227042661e91da9be36dd34a635f8894a20bde53f2aed90ba09f0740d03a4cd4fc2270d83fb91dd32ebd516738fcb0b73eb58b5db10ad6fd618

memory/1380-33-0x0000000001400000-0x0000000001401000-memory.dmp

memory/1380-34-0x0000000000400000-0x000000000044A000-memory.dmp