General
-
Target
zula.gif
-
Size
18.4MB
-
Sample
240410-3hpddshd3y
-
MD5
3c90817fdec6cbd9c13d02f38285dcd3
-
SHA1
ddf7eaedc568ca2435d272b8b56178a19fd39ca7
-
SHA256
4fdb587bd1d7a19b84946a3ae903fb49828cf9e57f3c6dd75b026eb13f92ced2
-
SHA512
1bb00b1639d74a4f5c4643ce502ed760393c627925c0d742ddd37504eef8312c083d653381843529443270cfa4846474da08d26e550abaf1e44d8e089b0fab88
-
SSDEEP
393216:lYCnR/3bVb54aY9ScPt+y+L+h5LKEwlwsVyH/CIF:dnv54t9u+nvCcHVF
Static task
static1
Malware Config
Extracted
njrat
im523
HacKed
127.0.0.1:5552
2bc2da243b888ddb954888782e6bdaa2
-
reg_key
2bc2da243b888ddb954888782e6bdaa2
-
splitter
|'|'|
Extracted
njrat
0.7.3
Lime
127.0.0.1:6522
Client.exe
-
reg_key
Client.exe
-
splitter
123
Targets
-
-
Target
zula.gif
-
Size
18.4MB
-
MD5
3c90817fdec6cbd9c13d02f38285dcd3
-
SHA1
ddf7eaedc568ca2435d272b8b56178a19fd39ca7
-
SHA256
4fdb587bd1d7a19b84946a3ae903fb49828cf9e57f3c6dd75b026eb13f92ced2
-
SHA512
1bb00b1639d74a4f5c4643ce502ed760393c627925c0d742ddd37504eef8312c083d653381843529443270cfa4846474da08d26e550abaf1e44d8e089b0fab88
-
SSDEEP
393216:lYCnR/3bVb54aY9ScPt+y+L+h5LKEwlwsVyH/CIF:dnv54t9u+nvCcHVF
-
Detect ZGRat V1
-
Disables RegEdit via registry modification
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2