Overview

overview

10

Static

static

1

sample.html

windows7-x64

Resubmissions

24-04-2024 16:59

240424-vhdmwsde66 10

23-04-2024 20:43

240423-zhwkxsbg42 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sample

  • Size

    18KB

  • Sample

    240423-zhwkxsbg42

  • MD5

    99f0b83d632890fba4b98eaefbf5b3b6

  • SHA1

    e901c8e60c64bc37c41e18331b6feba9f27f953e

  • SHA256

    e6ed52f8af20e62a45ad5ef04c62adc3126952f0f9ee422663e50c1e6cd56af3

  • SHA512

    f61affae346dbb0867c8935f521c2d9d2e07a67edeffa24f00a36fb0fca4419d14ff735f2f5c5c137e01d5d93f3f74e654d4865061b31171e6eba87fe2a350bf

  • SSDEEP

    384:rkyEYDpmReVoOs4Mi9ylKeGMQU8HhhbQYe7/QZS2LjFrScLI+YVJCBXQL:rkaBVoOs4MmyI1M6Bhbpw/QhFrScLaJf

Score
10/10
zgratadwarediscoverypersistenceratspywarestealer

Malware Config

Targets

    • Target

      sample

    • Size

      18KB

    • MD5

      99f0b83d632890fba4b98eaefbf5b3b6

    • SHA1

      e901c8e60c64bc37c41e18331b6feba9f27f953e

    • SHA256

      e6ed52f8af20e62a45ad5ef04c62adc3126952f0f9ee422663e50c1e6cd56af3

    • SHA512

      f61affae346dbb0867c8935f521c2d9d2e07a67edeffa24f00a36fb0fca4419d14ff735f2f5c5c137e01d5d93f3f74e654d4865061b31171e6eba87fe2a350bf

    • SSDEEP

      384:rkyEYDpmReVoOs4Mi9ylKeGMQU8HhhbQYe7/QZS2LjFrScLI+YVJCBXQL:rkaBVoOs4MmyI1M6Bhbpw/QhFrScLaJf

    Score
    10/10
    zgratadwarediscoverypersistenceratspywarestealer

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Modifies Installed Components in the registry

      persistence

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies boot configuration data using bcdedit

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Modifies termsrv.dll

      Commonly used to allow simultaneous RDP sessions.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Browser Extensions

1
T1176

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

3
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

7
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

3
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks