Malware Analysis Report

2025-06-16 05:48

Sample ID 240326-bn867sbc35
Target 531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696
SHA256 531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696
Tags
modiloader trojan zgrat persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696

Threat Level: Known bad

The file 531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan zgrat persistence rat spyware stealer

Detect ZGRat V1

ModiLoader, DBatLoader

ZGRat

ModiLoader Second Stage

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-26 01:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-26 01:18

Reported

2024-03-26 01:21

Platform

win7-20240221-en

Max time kernel

140s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe

"C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 816

Network

Country Destination Domain Proto
US 8.8.8.8:53 onedrive.live.com udp
US 13.107.137.11:443 onedrive.live.com tcp
US 8.8.8.8:53 onedrive.live.com udp
US 13.107.137.11:443 onedrive.live.com tcp

Files

memory/1908-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1908-1-0x00000000032D0000-0x00000000042D0000-memory.dmp

memory/1908-2-0x00000000032D0000-0x00000000042D0000-memory.dmp

memory/1908-4-0x0000000000400000-0x000000000050F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-26 01:18

Reported

2024-03-26 01:21

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ModiLoader, DBatLoader

trojan modiloader

ZGRat

rat zgrat

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows \System32\8695336.exe N/A
N/A N/A C:\Users\Public\Libraries\sdxmkajA.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows \System32\8695336.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ajakmxds = "C:\\Users\\Public\\Ajakmxds.url" C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 116 set thread context of 3248 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Users\Public\Libraries\sdxmkajA.pif

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Libraries\sdxmkajA.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 116 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows \System32\8695336.exe
PID 856 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows \System32\8695336.exe
PID 544 wrote to memory of 2520 N/A C:\Windows \System32\8695336.exe C:\Windows\system32\cmd.exe
PID 544 wrote to memory of 2520 N/A C:\Windows \System32\8695336.exe C:\Windows\system32\cmd.exe
PID 4464 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4464 wrote to memory of 5104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 116 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Windows\SysWOW64\extrac32.exe
PID 116 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Windows\SysWOW64\extrac32.exe
PID 116 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Windows\SysWOW64\extrac32.exe
PID 116 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Users\Public\Libraries\sdxmkajA.pif
PID 116 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Users\Public\Libraries\sdxmkajA.pif
PID 116 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Users\Public\Libraries\sdxmkajA.pif
PID 116 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Users\Public\Libraries\sdxmkajA.pif
PID 116 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\Users\Public\Libraries\sdxmkajA.pif

Processes

C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe

"C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir "\\?\C:\Windows "

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir "\\?\C:\Windows \System32"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Windows \System32\8695336.exe"

C:\Windows \System32\8695336.exe

"C:\Windows \System32\8695336.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""

C:\Windows\system32\cmd.exe

cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"

C:\Windows\SysWOW64\extrac32.exe

C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\\Users\\Public\\Libraries\\Ajakmxds.PIF

C:\Users\Public\Libraries\sdxmkajA.pif

C:\Users\Public\Libraries\sdxmkajA.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 onedrive.live.com udp
US 13.107.137.11:443 onedrive.live.com tcp
US 13.107.137.11:443 onedrive.live.com tcp
US 8.8.8.8:53 c0ulvw.db.files.1drv.com udp
US 13.107.42.12:443 c0ulvw.db.files.1drv.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 11.137.107.13.in-addr.arpa udp
US 8.8.8.8:53 12.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 eu-west-1.sftpcloud.io udp
GB 159.65.94.38:21 eu-west-1.sftpcloud.io tcp
GB 159.65.94.38:50010 eu-west-1.sftpcloud.io tcp
US 8.8.8.8:53 38.94.65.159.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/116-0-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/116-1-0x0000000003F60000-0x0000000004F60000-memory.dmp

memory/116-2-0x0000000003F60000-0x0000000004F60000-memory.dmp

memory/116-4-0x0000000000400000-0x000000000050F000-memory.dmp

C:\Windows \System32\8695336.exe

MD5 231ce1e1d7d98b44371ffff407d68b59
SHA1 25510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA256 30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512 520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

C:\Windows \System32\netutils.dll

MD5 fa7aa88417d0c48807144a1a48fe3fbc
SHA1 6f5ec990b12d4a6075050a94e0d68d03781fa46d
SHA256 2019dcd18ba7d5554a4a9da882740aa883941670af3de9396960081a0f8aa098
SHA512 99b2eb6f8e7d00a3803cba229149e5e0cb67a3deb607782c55fbacd25d9c074cce83759de15490eff939d5ad98f26cdbd44395cc79ffe22753e16c3d9e3b5fff

memory/544-15-0x00000000613C0000-0x00000000613E3000-memory.dmp

memory/5104-21-0x00000234CE660000-0x00000234CE682000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ihuviuri.0ei.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5104-26-0x00007FFD6A600000-0x00007FFD6B0C1000-memory.dmp

memory/5104-27-0x00000234CE6F0000-0x00000234CE700000-memory.dmp

memory/5104-28-0x00000234CE6F0000-0x00000234CE700000-memory.dmp

memory/5104-31-0x00007FFD6A600000-0x00007FFD6B0C1000-memory.dmp

memory/3248-43-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Users\Public\Libraries\sdxmkajA.pif

MD5 c116d3604ceafe7057d77ff27552c215
SHA1 452b14432fb5758b46f2897aeccd89f7c82a727d
SHA256 7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA512 9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

memory/3248-40-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3248-45-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3248-46-0x000000004C1B0000-0x000000004C20A000-memory.dmp

memory/3248-47-0x000000004C2C0000-0x000000004C864000-memory.dmp

memory/3248-48-0x000000004C870000-0x000000004C8C8000-memory.dmp

memory/3248-49-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-50-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-52-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-54-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-56-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-58-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-60-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-62-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-64-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-67-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3248-66-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-69-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-71-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-73-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-75-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-77-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-79-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-81-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-83-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-86-0x000000004C2B0000-0x000000004C2C0000-memory.dmp

memory/3248-87-0x000000004C2B0000-0x000000004C2C0000-memory.dmp

memory/3248-85-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-90-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-89-0x000000004C2B0000-0x000000004C2C0000-memory.dmp

memory/3248-92-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-94-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-96-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-98-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-100-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-102-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-103-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/3248-105-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-107-0x000000004C870000-0x000000004C8C3000-memory.dmp

memory/3248-1106-0x000000004CA00000-0x000000004CA66000-memory.dmp

memory/3248-1107-0x000000004C2B0000-0x000000004C2C0000-memory.dmp

memory/3248-1108-0x000000004D2D0000-0x000000004D320000-memory.dmp

memory/3248-1109-0x000000004D320000-0x000000004D3BC000-memory.dmp

memory/3248-1110-0x000000004DB00000-0x000000004DB92000-memory.dmp

memory/3248-1111-0x000000004DD20000-0x000000004DD2A000-memory.dmp

memory/3248-1114-0x000000004C2B0000-0x000000004C2C0000-memory.dmp

memory/3248-1115-0x000000004C2B0000-0x000000004C2C0000-memory.dmp

memory/3248-1116-0x000000004C2B0000-0x000000004C2C0000-memory.dmp

memory/3248-1117-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/3248-1118-0x000000004C2B0000-0x000000004C2C0000-memory.dmp