General

  • Target

    file

  • Size

    2.7MB

  • Sample

    240401-ym79vadh2v

  • MD5

    bcc93e415a05ea5bb4ac3985fe389866

  • SHA1

    54afd186ad33eea4266fdcae4229e8fe48e4e8eb

  • SHA256

    6ce6fd56b675cb8ffc6e5ecb11bb80640e24e58a09985f8a4f635ee9c3c2bf97

  • SHA512

    a5ec0307abaab0f9a5a5c28cb1bcae8847dd21b91c9f8a84e0e0294b2b039a5d68c22cb8a4f56f5bb6e344e26df5ab1416612c8c3cb1c7f8980ae137dda49016

  • SSDEEP

    49152:wrtSAbjawsGcz8QfpyvcRjBZPohnKZV7+P:bOaw1uF4

Malware Config

Targets

    • Target

      file

    • Size

      2.7MB

    • MD5

      bcc93e415a05ea5bb4ac3985fe389866

    • SHA1

      54afd186ad33eea4266fdcae4229e8fe48e4e8eb

    • SHA256

      6ce6fd56b675cb8ffc6e5ecb11bb80640e24e58a09985f8a4f635ee9c3c2bf97

    • SHA512

      a5ec0307abaab0f9a5a5c28cb1bcae8847dd21b91c9f8a84e0e0294b2b039a5d68c22cb8a4f56f5bb6e344e26df5ab1416612c8c3cb1c7f8980ae137dda49016

    • SSDEEP

      49152:wrtSAbjawsGcz8QfpyvcRjBZPohnKZV7+P:bOaw1uF4

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect ZGRat V1

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Async RAT payload

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks