General

  • Target

    pass_1se.zip

  • Size

    749KB

  • Sample

    240504-qf259ahg53

  • MD5

    85b7d099665b1dcea3909c05d80cc8c7

  • SHA1

    0aa4282ccc8e00f2191e639b2c44e79b9cb16bf0

  • SHA256

    050b6a721da09e5106f29775f35aa3d8a9dd056681611edab626cdc214b82f32

  • SHA512

    edb9aaf1cc1271a0629a183afcd6452b10e79afba24728c2cf3c8e2216153c5f749b4a8358d9a368f26ab3090941c654a58e105e8709de14a3aff781ee6207a3

  • SSDEEP

    12288:z8xrwjczE5ZevNyz1I3SR4IZwXbScHbTk8TD1ar8Z3K7rwiPZ0yeuav96G3:IxNEfINyhI3S9ZwXDTk8T5NjiPZDoL

Malware Config

Targets

    • Target

      Installer.exe

    • Size

      868KB

    • MD5

      d798e214b68688388aa252758397cdb5

    • SHA1

      049d6714f300b0ea83f7b416d58fda1ddd6a8393

    • SHA256

      3b5c1b31a1440796a56d70ce1c046a67c5116790ca5f77bbce0698ed14ceb269

    • SHA512

      f428807ba27fa6edba16295defb0a394cb0692d76851b1057f0774791ebab3c63eb7e2930472a044037769df42cbb63e2f20d319086aea8dfd6cfd274f3963e5

    • SSDEEP

      24576:zgZXoZUTVdt7KWcgNshI3K3ZEXbTkaL5bjiPZ7ip:a8gNaI6pELL5PGZ2p

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect ZGRat V1

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks