General

  • Target

    BoosterX2.0.rar

  • Size

    9.1MB

  • Sample

    240302-sc86haef93

  • MD5

    30f16376b4d940673d31ef43a40adf98

  • SHA1

    5aa69c1e1928d41539dc2b6900a2fd223b6eaba9

  • SHA256

    05f9a6b8d512fc86ad39a503a4b82385b04b274c10d8260135d3babeefa8abea

  • SHA512

    600807d81457108379ec500c289de93069f1a4b5242110576e5f5502caf0f1b2661ba7f4c9de7dd5066cf3f82a7730054bf3189aac8813727952824564a83139

  • SSDEEP

    196608:6cuGDnBvSyJBhmSo4zYvp9KlTKHUZwkD5XCDnnIIQVUOyxokK:6RGDnBvBO4cKKUmkDQTIIQVey9

Malware Config

Targets

    • Target

      BoosterX2.0.rar

    • Size

      9.1MB

    • MD5

      30f16376b4d940673d31ef43a40adf98

    • SHA1

      5aa69c1e1928d41539dc2b6900a2fd223b6eaba9

    • SHA256

      05f9a6b8d512fc86ad39a503a4b82385b04b274c10d8260135d3babeefa8abea

    • SHA512

      600807d81457108379ec500c289de93069f1a4b5242110576e5f5502caf0f1b2661ba7f4c9de7dd5066cf3f82a7730054bf3189aac8813727952824564a83139

    • SSDEEP

      196608:6cuGDnBvSyJBhmSo4zYvp9KlTKHUZwkD5XCDnnIIQVUOyxokK:6RGDnBvBO4cKKUmkDQTIIQVey9

    • Detect ZGRat V1

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks