Overview

overview

10

Static

static

3

HSY#41YAS_...28.exe

windows7-x64

10

HSY#41YAS_...28.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HSY#41YAS_38A92D4D_3SH72AHD_38A92N_AOKC3928.exe

  • Size

    279KB

  • Sample

    240419-k56l3sde27

  • MD5

    9c1be0ced582f3668473504b88e48cd8

  • SHA1

    1b314d7c3883fd6694e378228cf6f55a8037cbb4

  • SHA256

    154ec6d918a0ab2013142569ccea54cc00094e762a2e07a2d74a3c999c45737c

  • SHA512

    f1e160443240a1cd7c3bd34313a1538e0f7ab52c11a96780081dee6258b53f4d783090e6d8ed6b0a42b491e714ab8b8757e12a87000ca8b3ce6158418a0ca06b

  • SSDEEP

    6144:54E6JRqVYtRqQuMXfbHbfWOv7NnKlPkF7u5WNCmMcNeh/9LXEHP:54EVURlrf7vFCP1+Neh/JUv

Score
10/10
guloaderzgratcollectiondownloaderpersistenceratspywarestealer

Malware Config

Targets

    • Target

      HSY#41YAS_38A92D4D_3SH72AHD_38A92N_AOKC3928.exe

    • Size

      279KB

    • MD5

      9c1be0ced582f3668473504b88e48cd8

    • SHA1

      1b314d7c3883fd6694e378228cf6f55a8037cbb4

    • SHA256

      154ec6d918a0ab2013142569ccea54cc00094e762a2e07a2d74a3c999c45737c

    • SHA512

      f1e160443240a1cd7c3bd34313a1538e0f7ab52c11a96780081dee6258b53f4d783090e6d8ed6b0a42b491e714ab8b8757e12a87000ca8b3ce6158418a0ca06b

    • SSDEEP

      6144:54E6JRqVYtRqQuMXfbHbfWOv7NnKlPkF7u5WNCmMcNeh/9LXEHP:54EVURlrf7vFCP1+Neh/JUv

    Score
    10/10
    guloaderzgratcollectiondownloaderpersistenceratspywarestealer

    • Detect ZGRat V1

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      d968cb2b98b83c03a9f02dd9b8df97dc

    • SHA1

      d784c9b7a92dce58a5038beb62a48ff509e166a0

    • SHA256

      a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c

    • SHA512

      2ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e

    • SSDEEP

      192:CVA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:CrR7SrtTv53tdtTgwF4SQbGPX36wJMw

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

1
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks