Overview

overview

10

Static

static

10

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2024 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f141b5eee77d2391f8ff169914873e1219c2b47ebfde2b5bdfc0af7c6e08217b.exe

  • Size

    5.3MB

  • MD5

    4eda5246e489dfa5edadc1a46221b9b6

  • SHA1

    5d11b441365ea64090f34c68b4cf47b9d2d701dc

  • SHA256

    f141b5eee77d2391f8ff169914873e1219c2b47ebfde2b5bdfc0af7c6e08217b

  • SHA512

    783b801030b15b53633509ed36c815d928a67e9c833d2c8a2cc368fda8a5b76386c34ca767636d0fd3d0262ee059af89784324701eac46f4867f8ea9e74f4625

  • SSDEEP

    49152:Kh8VUIicvXIXj97Nf50oyGRUxhtIHsWZsn+We5l7BGthQ3QTNxGSr+GiM+t2aVo/:Kh8VUIi4XIp7Nh0asO5JoHt7XXA2psO

Score
10/10
stealczgratratstealer

Malware Config

Extracted

Family

stealc

C2

http://94.156.8.100

Attributes
  • url_path

    /5dce321003e6a6b5.php

Signatures

  • Detect ZGRat V1 1 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f141b5eee77d2391f8ff169914873e1219c2b47ebfde2b5bdfc0af7c6e08217b.exe
    "C:\Users\Admin\AppData\Local\Temp\f141b5eee77d2391f8ff169914873e1219c2b47ebfde2b5bdfc0af7c6e08217b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
      2⤵
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1904
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1032
      2⤵
      • Program crash
      PID:1004
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4052 -ip 4052
    1⤵
      PID:5108

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
      Filesize

      398KB

      MD5

      2fd1be65bb613abd01f919fa509221a2

      SHA1

      4b43c83ad6b5c8dfd8547307a3bc0c842dd17ce1

      SHA256

      1b0858e50cd9915e1bfe621cf769e01a0c77966a4508bad7ebf4e0c348a95e25

      SHA512

      c7dc318fff152d921c23f587d17f15e90c635cddf167288132831f97b50c4bdfe81afceccf6768b9e07ec526eeada0765ec9bda970b93e802b53f808e3f6cd0f

      Download Submit

    • memory/1904-71-0x0000000000400000-0x000000000063B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/1904-29-0x0000000061E00000-0x0000000061EF3000-memory.dmp

      Filesize

      972KB

      Download

    • memory/1904-27-0x0000000000400000-0x000000000063B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/1904-26-0x0000000000400000-0x000000000063B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/1904-23-0x0000000000400000-0x000000000063B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/4052-16-0x0000000005530000-0x0000000005540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4052-19-0x0000000007AE0000-0x0000000007BE0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4052-8-0x0000000005AF0000-0x0000000005B02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4052-9-0x00000000075B0000-0x0000000007742000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4052-6-0x0000000005530000-0x0000000005540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4052-15-0x0000000005530000-0x0000000005540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4052-0-0x00000000744D0000-0x0000000074C80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4052-17-0x0000000005BA0000-0x0000000005BB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4052-18-0x0000000005530000-0x0000000005540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4052-7-0x0000000006230000-0x000000000646C000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/4052-20-0x0000000005530000-0x0000000005540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4052-21-0x0000000005530000-0x0000000005540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4052-22-0x0000000007AE0000-0x0000000007BE0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4052-5-0x00000000744D0000-0x0000000074C80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4052-4-0x0000000005D00000-0x000000000622C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4052-2-0x00000000055F0000-0x000000000568C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4052-28-0x00000000744D0000-0x0000000074C80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4052-3-0x0000000005530000-0x0000000005540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4052-1-0x00000000006A0000-0x0000000000BF4000-memory.dmp

      Filesize

      5.3MB

      Download