General

  • Target

    lol_script_14.8.rar

  • Size

    2.6MB

  • Sample

    240504-l34v5saf9w

  • MD5

    956d2d5278b72fd1cdbc93ff56d74cfb

  • SHA1

    2c25c8d7ca9c9f30be5a659dcea1a6b6d5e90b15

  • SHA256

    f81a8e34aa90ae946cd21ac247b4bfccecaceff6cd36aa48241d184b9a3f9e53

  • SHA512

    f84b016e2810dc45980fae44e1cb6e87693aeee5950ba5421a51e19a6ab63c182ccf7597fe11536c679ddeac513b8c9f2584f92e01e779567a91008f7832c283

  • SSDEEP

    49152:NS+gNyvqs+7w3WGk8SkyZ1QZJspgFlExnlBnprnVPvOwln:Ng/sN3WGkTn1QqnnhnwIn

Malware Config

Targets

    • Target

      lol_script_14.8.rar

    • Size

      2.6MB

    • MD5

      956d2d5278b72fd1cdbc93ff56d74cfb

    • SHA1

      2c25c8d7ca9c9f30be5a659dcea1a6b6d5e90b15

    • SHA256

      f81a8e34aa90ae946cd21ac247b4bfccecaceff6cd36aa48241d184b9a3f9e53

    • SHA512

      f84b016e2810dc45980fae44e1cb6e87693aeee5950ba5421a51e19a6ab63c182ccf7597fe11536c679ddeac513b8c9f2584f92e01e779567a91008f7832c283

    • SSDEEP

      49152:NS+gNyvqs+7w3WGk8SkyZ1QZJspgFlExnlBnprnVPvOwln:Ng/sN3WGkTn1QqnnhnwIn

    Score
    3/10
    • Target

      Evolut.dll

    • Size

      367KB

    • MD5

      caa14c6ad0c8fb8cbe1a2d3a69d6905a

    • SHA1

      7a17a8ed6a6deaf5b5f940ca35f353a73f23632c

    • SHA256

      3a270e61cf7c0c1176f6135a441e9566fdf0004667854f1452c5728077a31554

    • SHA512

      6e28f77de38ca63d37a19b98d76a29c273664ba4a7817ec01e402827681a5bfbfb4e42c407b775145aa47f0852cc121f39b91fa0976a98afc5afd739953a7e0d

    • SSDEEP

      6144:96FpIqYFbCsucuy8y+e0IacBL6cCyLtagsS7FNRmN3f8ZWc0EU:9hJFKneD6H6FNRmN31h

    Score
    5/10
    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      League_Injector.exe

    • Size

      2.4MB

    • MD5

      c07e8749c65b1e729b4b7ac2156f6503

    • SHA1

      f6fe3c93d5998e0eb6aa01b3a5faf47a55816449

    • SHA256

      fcd6efc097e295d6767061451ea002987767e96ebd910b46c8d714e6e1c9219f

    • SHA512

      27c4e3ba2e16c701d8f4ba4efd09d64998f61661ffb2c11797deb9dd2f61a21e029c223e675bd277a91b8e1da0ddbc56a30a38371d2ff543049b13604dce01ce

    • SSDEEP

      49152:LIwHemVVsdsfsWSaBOSuvMhJMYYmf+j2H0MLzNhQyI60QhD:BHfVVYsf75BPZnMYzGjviD

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks