General

  • Target

    notion-app-download-_TytjLT0Iic.zip

  • Size

    4.1MB

  • Sample

    240324-mhwjpsbh74

  • MD5

    79694bd87e85656f6d7f9617cea36c44

  • SHA1

    b8ea84410ad61ff77608b2e3a5fc5d2cb4f47fef

  • SHA256

    a57e5617701bb5fe63bb4111ebaf527eb90f7f73eddae850ae0834236742e97a

  • SHA512

    e0275f4c9940806721fc65ba3cdf2d6fc45e0916ba8264fadaaf7c2c143a0a8114f21cfe582a5c29bc4c421554febda10cf456e3eaf49fab3ad8f385ee22a411

  • SSDEEP

    98304:pdEvpqtR4nJQ/7AkhNDty5J9YCrHslajggosanQ1y1:gI/4nJMAkhjGr+Jsan1

Malware Config

Extracted

Family

socks5systemz

C2

http://bwiwana.com/search/?q=67e28dd86b5ea42a430af91a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a771ea771795af8e05c643db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffe13c7e9909d3c

Targets

    • Target

      PASSWORD 123.txt

    • Size

      32B

    • MD5

      74be16979710d4c4e7c6647856088456

    • SHA1

      67a74306b06d0c01624fe0d0249a570f4d093747

    • SHA256

      f215faf9d88b7f0a881632ee22459ee452a296c808d261b6cc993d3a1fd0600e

    • SHA512

      8d5891b55ccb5f5809559d62af779ae306d2f39b23e0d2508a11e8140b049f003e4004e6f5189b5513d56c1ba75074f9efba4a02b7ab92db43496f426e46075e

    Score
    1/10
    • Target

      __.exe

    • Size

      113KB

    • MD5

      5fd249a523f8006dae95752b5cf9bf49

    • SHA1

      e6e02da45574070c899c51f2400f9bd3171b02f0

    • SHA256

      443b3b9929156d71ed73e99850a671a89d4d0d38cc8acc7f286696dd4f24895e

    • SHA512

      1e0b370cde831f1fd135cbe7b0e1ce4ac2f7d58d0fe94d4df8db92e756affb35c3b5b7f6ccf4f03964869b3e8110673912175d5abac92742111d7f8fed32343d

    • SSDEEP

      3072:e4GZnrASj3/lQLFvGwFCZ+XH+IB8wvFxP:e4GZrr3/K1Btvn

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Blocklisted process makes network request

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Adds Run key to start application

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      notion-app-download-_TytjLT0Iic.exe

    • Size

      4.0MB

    • MD5

      1a73eb194d3765f97cfdde38719829eb

    • SHA1

      662b3a38f2b5a09b362fe3c33777daec039340fa

    • SHA256

      d5b16247a1d39d0935d106243f98de0ca2682db3b7b378de3449eb22c0aed64a

    • SHA512

      2fb8a80503a512fcbca23d2c844090b22fe6657d9d3dfc27615e94e8ff7ba9cf566b158b085fad55ec4efc3728eae55b97ac7538935802251a5f8ca097fb95fd

    • SSDEEP

      98304:FpIgPP8GeU9MuTi0yaYobgazVeL2/CJyc6uCXEInqwiW8Ysqwl:fIgP99Mu25aBgazVeSRc6uCXfiW8YsX

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks