General

  • Target

    9D3374AC830B193FB933965F85541463.exe

  • Size

    2.1MB

  • Sample

    240302-red8gaea9v

  • MD5

    9d3374ac830b193fb933965f85541463

  • SHA1

    3f71dfc4cc6e5b7bbec3cc4a92b01c9a75966b9f

  • SHA256

    cd69c0f61d3e8f3db97c6a4748b9f68dfc044bff5e95a769b7df85f8be8e005e

  • SHA512

    3aa5e889990ba415adaa594a918b49c2df2566d1ffaaf5c2b6775b6cc4b42719f5ea6f8bb622e3fb79e5176ce86a47c38aeb2b54ffdbce3edcbcb092aaac80bb

  • SSDEEP

    49152:IBJK0bNAHSf50o8MDGGMYqbk6hCOJq1/p:yUaAHsYEGGMYqbnulp

Malware Config

Targets

    • Target

      9D3374AC830B193FB933965F85541463.exe

    • Size

      2.1MB

    • MD5

      9d3374ac830b193fb933965f85541463

    • SHA1

      3f71dfc4cc6e5b7bbec3cc4a92b01c9a75966b9f

    • SHA256

      cd69c0f61d3e8f3db97c6a4748b9f68dfc044bff5e95a769b7df85f8be8e005e

    • SHA512

      3aa5e889990ba415adaa594a918b49c2df2566d1ffaaf5c2b6775b6cc4b42719f5ea6f8bb622e3fb79e5176ce86a47c38aeb2b54ffdbce3edcbcb092aaac80bb

    • SSDEEP

      49152:IBJK0bNAHSf50o8MDGGMYqbk6hCOJq1/p:yUaAHsYEGGMYqbnulp

    • Detect ZGRat V1

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks