Overview

overview

10

Static

static

1

netflix_x86_64.exe

windows7-x64

10

netflix_x86_64.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    netflix_x86_64.exe

  • Size

    129KB

  • Sample

    240308-19j7mshh8w

  • MD5

    8269641876c4f2bb0734916bdbb9dbac

  • SHA1

    f2c79ebee8b454f608b5b7aa6881f65bbfda2419

  • SHA256

    6773ef6582d723d2fdada02266a58aaa6e33ecb6768e50e833c67a0dbadceced

  • SHA512

    887b749222663a266d2e03c8bd23248b11e7b04a5328f8c17afbdd15d5b093543d066d52165ae1b3a71253bc94cbc81a438c6050a44056954a2921ac4ef6fcf3

  • SSDEEP

    1536:LohEui/n/Nz2MESJvRrR5bJakoDncBQJO/w/0LBD7Axx:L3XVEubJulw

Score
10/10
zgratevasionpersistencerat

Malware Config

Targets

    • Target

      netflix_x86_64.exe

    • Size

      129KB

    • MD5

      8269641876c4f2bb0734916bdbb9dbac

    • SHA1

      f2c79ebee8b454f608b5b7aa6881f65bbfda2419

    • SHA256

      6773ef6582d723d2fdada02266a58aaa6e33ecb6768e50e833c67a0dbadceced

    • SHA512

      887b749222663a266d2e03c8bd23248b11e7b04a5328f8c17afbdd15d5b093543d066d52165ae1b3a71253bc94cbc81a438c6050a44056954a2921ac4ef6fcf3

    • SSDEEP

      1536:LohEui/n/Nz2MESJvRrR5bJakoDncBQJO/w/0LBD7Axx:L3XVEubJulw

    Score
    10/10
    zgratevasionpersistencerat

    • Detect ZGRat V1

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Blocklisted process makes network request

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks