Extracted

Extracted

• • Target

    BaffFree (1).rar

  • Size

    14.0MB

  • MD5

    1d5acc5687edcd169ff1f668fb614668

  • SHA1

    5ef489cd47893a888286c8cfc5cf565945c44628

  • SHA256

    d4f5d067ff567af50017ad3f0997b6aaea6fc8e3305adf57de560e03536e8e86

  • SHA512

    8aaff2444d1bc3b308e0aa9761e97f3dd497df76a1fe68bb11560e06d2f73297c1fcf1bce74e0bab1e016ef52109a45c995ce750a3be5fde0cf6a75ee4c9b7d1

  • SSDEEP

    196608:7nw75pSvvDy2bpmAa72xIvRt5snPdFK5Jdr9hj+i4etUqUFc/muT8EgJHZtmiC:7wCXbi7EIvRmPdFIhjF4eGnuT4DmP

  Score

  10^/10

  umbralxwormzgratevasionpersistenceratstealertrojan

  • Detect Umbral payload

  • Detect Xworm Payload

  • Detect ZGRat V1

  • Modifies WinLogon for persistence

    persistence

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Creates new service(s)

    persistence

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Stops running service(s)

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2