General

  • Target

    Installer.exe

  • Size

    12.6MB

  • Sample

    240418-1zsq2ahb3w

  • MD5

    e560d8abab1b94fa698c5164b10c4fa5

  • SHA1

    7b7e2334f06610ebcb9ac796c471961df6a6c377

  • SHA256

    817cac7fcfdc0f48444c45be772997707761e2ca1e43e8d53f8f7e0e7a1e42b0

  • SHA512

    cc546819fbf9cb40c8bd7c9f686b2d7e189b624fc94a8075e0a43ebcf83d28ed4fc51227c3450e94de91e2c72ce6ce68d7f5e6f8e9e390406da4bcc32470af16

  • SSDEEP

    196608:MgINJY5ucj/+mDZR65PzwNVnQwOsayF0RjPLIp+I3U84IXrTNtNp0GIUOueu/ty:MR+59nYRzw0wlF0RjPLIECU84EJ49h

Malware Config

Extracted

Family

xenorat

C2

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8913d

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    45010

  • startup_name

    WindowsErrorHandler

Extracted

Family

growtopia

C2

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Targets

    • Target

      Installer.exe

    • Size

      12.6MB

    • MD5

      e560d8abab1b94fa698c5164b10c4fa5

    • SHA1

      7b7e2334f06610ebcb9ac796c471961df6a6c377

    • SHA256

      817cac7fcfdc0f48444c45be772997707761e2ca1e43e8d53f8f7e0e7a1e42b0

    • SHA512

      cc546819fbf9cb40c8bd7c9f686b2d7e189b624fc94a8075e0a43ebcf83d28ed4fc51227c3450e94de91e2c72ce6ce68d7f5e6f8e9e390406da4bcc32470af16

    • SSDEEP

      196608:MgINJY5ucj/+mDZR65PzwNVnQwOsayF0RjPLIp+I3U84IXrTNtNp0GIUOueu/ty:MR+59nYRzw0wlF0RjPLIECU84EJ49h

    • Detect ZGRat V1

    • Growtopia

      Growtopa is an opensource modular stealer written in C#.

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Creates new service(s)

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks