Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    DCRatBuild.exe

  • Size

    3.8MB

  • Sample

    240430-pae8vsbe64

  • MD5

    3da1cda32190d9ba346889a7df20c952

  • SHA1

    f26a7f5ece93071f40b8cf3c5cf74af1e7589797

  • SHA256

    84d18110d3087cb912cc8cdcc3dae4e4ed4d0a4d20b514291eb7958590960607

  • SHA512

    540a4c0372ce6a8e6b651b7aaad62d9a119cf8a6589a50cab1a83c2eec6c52ac9e662f789e06ab196bbac82766cfc74b0a177fc94fe944de206c7100b2d929c6

  • SSDEEP

    98304:yQ8b58R7g9ksxqxTqIlyOBYFF+2hvc8Tf:58b5gc6TqjFFL

Malware Config

Targets

    • Target

      DCRatBuild.exe

    • Size

      3.8MB

    • MD5

      3da1cda32190d9ba346889a7df20c952

    • SHA1

      f26a7f5ece93071f40b8cf3c5cf74af1e7589797

    • SHA256

      84d18110d3087cb912cc8cdcc3dae4e4ed4d0a4d20b514291eb7958590960607

    • SHA512

      540a4c0372ce6a8e6b651b7aaad62d9a119cf8a6589a50cab1a83c2eec6c52ac9e662f789e06ab196bbac82766cfc74b0a177fc94fe944de206c7100b2d929c6

    • SSDEEP

      98304:yQ8b58R7g9ksxqxTqIlyOBYFF+2hvc8Tf:58b5gc6TqjFFL

    • Detect ZGRat V1

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks