growtopia | 817cac7fcfdc0f48444c45be772997707761e2ca1e43e8d53f8f7e0e7a1e42b0 | Triage

Submit
Reports

Overview

overview

Static

static

3

Installer.exe

windows7-x64

Installer.exe

windows10-2004-x64

Sharing

General

Target

Installer.exe
Size

12.6MB
Sample

240418-1zsq2ahb3w
MD5

e560d8abab1b94fa698c5164b10c4fa5
SHA1

7b7e2334f06610ebcb9ac796c471961df6a6c377
SHA256

817cac7fcfdc0f48444c45be772997707761e2ca1e43e8d53f8f7e0e7a1e42b0
SHA512

cc546819fbf9cb40c8bd7c9f686b2d7e189b624fc94a8075e0a43ebcf83d28ed4fc51227c3450e94de91e2c72ce6ce68d7f5e6f8e9e390406da4bcc32470af16
SSDEEP

196608:MgINJY5ucj/+mDZR65PzwNVnQwOsayF0RjPLIp+I3U84IXrTNtNp0GIUOueu/ty:MR+59nYRzw0wlF0RjPLIECU84EJ49h

Score

10^/10

growtopia xenorat zgrat evasion persistence pyinstaller rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Installer.exe

Resource

win7-20240221-en

growtopia xenorat zgrat evasion persistence pyinstaller rat stealer trojan

windows7-x64

21 signatures

600 seconds

Behavioral task

behavioral2

Sample

Installer.exe

Resource

win10v2004-20240412-en

growtopia xenorat zgrat evasion persistence pyinstaller rat stealer trojan

windows10-2004-x64

27 signatures

600 seconds

Malware Config

Extracted

Family

xenorat

C2

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8913d

Attributes

delay
5000
install_path
temp
port
45010
startup_name
WindowsErrorHandler

Extracted

Family

growtopia

C2

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Targets

- Target
  
  Installer.exe
- Size
  
  12.6MB
- MD5
  
  e560d8abab1b94fa698c5164b10c4fa5
- SHA1
  
  7b7e2334f06610ebcb9ac796c471961df6a6c377
- SHA256
  
  817cac7fcfdc0f48444c45be772997707761e2ca1e43e8d53f8f7e0e7a1e42b0
- SHA512
  
  cc546819fbf9cb40c8bd7c9f686b2d7e189b624fc94a8075e0a43ebcf83d28ed4fc51227c3450e94de91e2c72ce6ce68d7f5e6f8e9e390406da4bcc32470af16
- SSDEEP
  
  196608:MgINJY5ucj/+mDZR65PzwNVnQwOsayF0RjPLIp+I3U84IXrTNtNp0GIUOueu/ty:MR+59nYRzw0wlF0RjPLIECU84EJ49h
Score

10^/10

growtopia xenorat zgrat evasion persistence pyinstaller rat stealer trojan
- Detect ZGRat V1
- Growtopia
  Growtopa is an opensource modular stealer written in C#.
  stealer growtopia
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Creates new service(s)
  persistence
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Service Stop

Resource Development

Reconnaissance

Tasks

static1

behavioral1

growtopiaxenoratzgratevasionpersistencepyinstallerratstealertrojan

behavioral2

growtopiaxenoratzgratevasionpersistencepyinstallerratstealertrojan

© 2018-2024

Terms | Privacy