General
-
Target
lol_script_14.8.rar
-
Size
2.6MB
-
Sample
240504-l34v5saf9w
-
MD5
956d2d5278b72fd1cdbc93ff56d74cfb
-
SHA1
2c25c8d7ca9c9f30be5a659dcea1a6b6d5e90b15
-
SHA256
f81a8e34aa90ae946cd21ac247b4bfccecaceff6cd36aa48241d184b9a3f9e53
-
SHA512
f84b016e2810dc45980fae44e1cb6e87693aeee5950ba5421a51e19a6ab63c182ccf7597fe11536c679ddeac513b8c9f2584f92e01e779567a91008f7832c283
-
SSDEEP
49152:NS+gNyvqs+7w3WGk8SkyZ1QZJspgFlExnlBnprnVPvOwln:Ng/sN3WGkTn1QqnnhnwIn
Static task
static1
Behavioral task
behavioral1
Sample
lol_script_14.8.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
lol_script_14.8.rar
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
Evolut.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
Evolut.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
League_Injector.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
League_Injector.exe
Resource
win10v2004-20240426-en
Malware Config
Targets
-
-
Target
lol_script_14.8.rar
-
Size
2.6MB
-
MD5
956d2d5278b72fd1cdbc93ff56d74cfb
-
SHA1
2c25c8d7ca9c9f30be5a659dcea1a6b6d5e90b15
-
SHA256
f81a8e34aa90ae946cd21ac247b4bfccecaceff6cd36aa48241d184b9a3f9e53
-
SHA512
f84b016e2810dc45980fae44e1cb6e87693aeee5950ba5421a51e19a6ab63c182ccf7597fe11536c679ddeac513b8c9f2584f92e01e779567a91008f7832c283
-
SSDEEP
49152:NS+gNyvqs+7w3WGk8SkyZ1QZJspgFlExnlBnprnVPvOwln:Ng/sN3WGkTn1QqnnhnwIn
Score3/10 -
-
-
Target
Evolut.dll
-
Size
367KB
-
MD5
caa14c6ad0c8fb8cbe1a2d3a69d6905a
-
SHA1
7a17a8ed6a6deaf5b5f940ca35f353a73f23632c
-
SHA256
3a270e61cf7c0c1176f6135a441e9566fdf0004667854f1452c5728077a31554
-
SHA512
6e28f77de38ca63d37a19b98d76a29c273664ba4a7817ec01e402827681a5bfbfb4e42c407b775145aa47f0852cc121f39b91fa0976a98afc5afd739953a7e0d
-
SSDEEP
6144:96FpIqYFbCsucuy8y+e0IacBL6cCyLtagsS7FNRmN3f8ZWc0EU:9hJFKneD6H6FNRmN31h
Score5/10-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
League_Injector.exe
-
Size
2.4MB
-
MD5
c07e8749c65b1e729b4b7ac2156f6503
-
SHA1
f6fe3c93d5998e0eb6aa01b3a5faf47a55816449
-
SHA256
fcd6efc097e295d6767061451ea002987767e96ebd910b46c8d714e6e1c9219f
-
SHA512
27c4e3ba2e16c701d8f4ba4efd09d64998f61661ffb2c11797deb9dd2f61a21e029c223e675bd277a91b8e1da0ddbc56a30a38371d2ff543049b13604dce01ce
-
SSDEEP
49152:LIwHemVVsdsfsWSaBOSuvMhJMYYmf+j2H0MLzNhQyI60QhD:BHfVVYsf75BPZnMYzGjviD
Score10/10-
Detect ZGRat V1
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-