Overview

overview

10

Static

static

3

FUCKER.exe

windows11-21h2-x64

10

Resubmissions

09-04-2024 08:32

240409-kfg77aaf85 10

09-04-2024 08:32

240409-kfglnaaf84 10

09-04-2024 08:32

240409-kffz5aea2y 10

09-04-2024 08:32

240409-kffpcsaf79 10

11-03-2024 08:03

240311-jxm94afe6y 10

10-03-2024 15:15

240310-snee9sfd3y 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FUCKER.exe

  • Size

    10KB

  • Sample

    240311-jxm94afe6y

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score
10/10
mylobotriseprozgratbotnetevasionpersistencepyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

mylobot

C2

pqrqtaz.ru:9879

pickcas.ru:6464

quwkbin.ru:3496

rkbupij.ru:6653

pcqmayq.ru:3629

mmuliwe.ru:3541

stoizji.ru:5189

sfdfrhh.ru:3511

ynciazz.ru:4127

mkglhnw.ru:1946

njeeili.ru:9987

dldzeoo.ru:7525

tkbiqjq.ru:5145

uenosbl.ru:2935

faayshc.ru:9865

nttfazc.ru:6761

nfwsyog.ru:7172

uyfusxm.ru:7372

hxkclwx.ru:1294

zgoysam.ru:2338

Targets

    • Target

      FUCKER.exe

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    Score
    10/10
    mylobotriseprozgratbotnetevasionpersistencepyinstallerratspywarestealertrojan

    • Detect ZGRat V1

    • Mylobot

      Botnet which first appeared in 2017 written in C++.

      botnetmylobot

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RisePro

      RisePro stealer is an infostealer distributed by PrivateLoader.

      stealerrisepro

    • UAC bypass

      evasiontrojan

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks