Resubmissions

18-03-2024 19:24

240318-x4seaaha4x 10

18-03-2024 19:06

240318-xsb8xsfh83 10

18-03-2024 14:42

240318-r3a6qabc38 10

General

  • Target

    RUN.exe

  • Size

    31.7MB

  • Sample

    240318-r3a6qabc38

  • MD5

    41bf2693033eaed432dfa5c1d75cdeec

  • SHA1

    ff038cb9e992a518106c80868176785e987c301d

  • SHA256

    148c3096bab88a675414bd9463c60c44317f3ee5d12f949526847827cb108010

  • SHA512

    f8ffe83afac20f3fc2b0175542e0e98cc236d3ab6e6cdf7d3702b5b124af6b64e8edd2d6ddddda6bdf6a2288f8853c56fed3bcf490227a0867baeb2bf8cb80ff

  • SSDEEP

    786432:ELlFuTirkoTj4mAJidZgSekJEUlvgBNTTz+Ndz+t:fqjzddlekmg4LU+t

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://raw.githubusercontent.com/washywashy14/7zip-bin/master/win/Uemlxaw.zip

Targets

    • Target

      RUN.exe

    • Size

      31.7MB

    • MD5

      41bf2693033eaed432dfa5c1d75cdeec

    • SHA1

      ff038cb9e992a518106c80868176785e987c301d

    • SHA256

      148c3096bab88a675414bd9463c60c44317f3ee5d12f949526847827cb108010

    • SHA512

      f8ffe83afac20f3fc2b0175542e0e98cc236d3ab6e6cdf7d3702b5b124af6b64e8edd2d6ddddda6bdf6a2288f8853c56fed3bcf490227a0867baeb2bf8cb80ff

    • SSDEEP

      786432:ELlFuTirkoTj4mAJidZgSekJEUlvgBNTTz+Ndz+t:fqjzddlekmg4LU+t

    Score
    10/10
    • Detect ZGRat V1

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks