General

  • Target

    9A495517949AA4F4112EDA7460B6903C.exe

  • Size

    1.9MB

  • Sample

    240302-ret9paed66

  • MD5

    9a495517949aa4f4112eda7460b6903c

  • SHA1

    2903a362bbde234152a8f12bc5ed028e3231538b

  • SHA256

    137f811a64808946b6f03fa54450fa9a4fe77eacfb7afa39f0a1a7a1ce659a60

  • SHA512

    bc7d5c93156f2a1fc47553e0f8455cb66aa1e02d352707d5925c23a0cc78195adcc4f0c059a49edf14f3fd6079cf0c5caac397aea9456aefab5684fffc525128

  • SSDEEP

    24576:2TbBv5rUyXVNweJZ7rsW7aB61THQZEDLRBoQwexZS1U1Cr2Egkfu6XFTLbB5xo+T:IBJNnl71zodgS1U8rZXpb7++IqRXz

Malware Config

Targets

    • Target

      9A495517949AA4F4112EDA7460B6903C.exe

    • Size

      1.9MB

    • MD5

      9a495517949aa4f4112eda7460b6903c

    • SHA1

      2903a362bbde234152a8f12bc5ed028e3231538b

    • SHA256

      137f811a64808946b6f03fa54450fa9a4fe77eacfb7afa39f0a1a7a1ce659a60

    • SHA512

      bc7d5c93156f2a1fc47553e0f8455cb66aa1e02d352707d5925c23a0cc78195adcc4f0c059a49edf14f3fd6079cf0c5caac397aea9456aefab5684fffc525128

    • SSDEEP

      24576:2TbBv5rUyXVNweJZ7rsW7aB61THQZEDLRBoQwexZS1U1Cr2Egkfu6XFTLbB5xo+T:IBJNnl71zodgS1U8rZXpb7++IqRXz

    • Detect ZGRat V1

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks