Overview

overview

10

Static

static

1

TT ViewBot...sts.py

windows7-x64

3

TT ViewBot...sts.py

windows10-2004-x64

3

TT ViewBot...xie.py

windows7-x64

3

TT ViewBot...xie.py

windows10-2004-x64

3

TT ViewBot...ent.py

windows7-x64

3

TT ViewBot...ent.py

windows10-2004-x64

3

TT ViewBot...rt.exe

windows7-x64

10

TT ViewBot...rt.exe

windows10-2004-x64

10

TT ViewBot...tup.py

windows7-x64

3

TT ViewBot...tup.py

windows10-2004-x64

7

Resubmissions

05-05-2024 18:01

240505-wl1ghabh23 10

05-05-2024 17:56

240505-wjdvqabg39 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TT ViewBot Tool.rar

  • Size

    2.5MB

  • Sample

    240505-wjdvqabg39

  • MD5

    2d8e0aacc4d03e584d72dab765035fe3

  • SHA1

    9e8873ee30ef69abb762781db025ecee0d6be817

  • SHA256

    0aa3a8f7bd8f94484b0435e72e292744161b0707186f94845b7b6b54ac8f874d

  • SHA512

    366a66c845b7a24da8416a4765f11e511fd8dc526e083190dfa5bc8a874f71d5cb155da72aae01d5173b4136e1ad41afd9a5e8437264c4c5c097442fef3298df

  • SSDEEP

    49152:8lV1gGgvC7f0OoqKFKdoOyO29o4wZzboGJDY8BtKr:moGhocdxyDo9boGi2O

Score
10/10
zgratdiscoveryexecutionpersistenceratspywarestealer

Malware Config

Targets

    • Target

      TT ViewBot v2.0/Data/Lists.py

    • Size

      2KB

    • MD5

      58b844082767dd40b291276087b6323b

    • SHA1

      41748aed3409eeb4be7a8d53b98a81fcfff2323d

    • SHA256

      b21702251cf0e88c166088d4e08294b2b0c2f961da8056ac48c735243d554279

    • SHA512

      f50268442358d511424d649603ce701cda7bb885cdfe005c8fbcdbde2b47784102b7196438d664ef4c32b5c317ad9e9b8ec7f1ed741d3aef399f378149c61547

    Score
    3/10
    behavioral1behavioral2

    • Target

      TT ViewBot v2.0/Data/ScrapProxie.py

    • Size

      8KB

    • MD5

      005e6b6cd75e6fd6040731c64494e537

    • SHA1

      86f24fc5aad569829e0651bdcd607168c19c58f6

    • SHA256

      8fd6afc4c92b8c65eb96a7493e559c83449578fcf178e20d9d126b411eead5e5

    • SHA512

      a16848eda731c6e7591b94a7291095a19fca11ecdd2e4b1e55306f28b288bc473f2bad97bb505c0c8fd4d3a7e7227103427ac5aed1bf6bd3b21f6bce3e785931

    • SSDEEP

      96:QSGcG6lghWnE559ZlWoxKMk59Vp+pvey9t9c9xsRvRxY1K7DpCgkTli:P659ZwoxKMW9Vp+pmYHexscU9j

    Score
    3/10
    behavioral3behavioral4

    • Target

      TT ViewBot v2.0/Data/UserAgent.py

    • Size

      1.0MB

    • MD5

      0c9b29e6b8291144a8a1c7b190accbe5

    • SHA1

      a5946876fb6de43a28c9b3d3b783c755f74f41f1

    • SHA256

      8ec04b593bbf03b344809ebca690dcec7bc082bccd0e28d3b4931b371ab044c9

    • SHA512

      cc8ad93051da8b447064d4c3dbaab624b8fa4516874358a1dfe2d52ac03a87f104b6cae8b036c42c87c7d9b1946138d9a0f4f7f5ed2db62b0a771901e1ec5cfe

    • SSDEEP

      384:UKxzhaSY5IiEgeBLPxKQheqwF3zdU49rdobwjkH6g6QcOHcoR8AnaREHszt3Y3fO:e

    Score
    3/10
    behavioral5behavioral6

    • Target

      TT ViewBot v2.0/bot_start.exe

    • Size

      2.5MB

    • MD5

      bf4a8b1ff2f896acac3e7ace357abfca

    • SHA1

      c1bd1b3d2959d844f6b4e339f45d3749667df3e1

    • SHA256

      e0d1d7c74b52bbd40f5dc85cb9b3ab69ae750d8fc3f5fbd15a98eed616c1ce8e

    • SHA512

      fd7082a905540e23a5c5b6fd2717c0255ede2680bef16076f174d417bbeef4694e2fa82a8f9e0407cc160344cc194edd19ab40901b468c1695a1b8773e23e494

    • SSDEEP

      49152:Tfx0DZfVUfCnJA3bxBLbsgyGKEQYdfT3kVYCNN5oUpwmJFkjQuQLLOet:l4ZnIlBvyGKJA3kVD4lIl7r

    Score
    10/10
    zgratexecutionratspywarestealer

    • Detect ZGRat V1

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      TT ViewBot v2.0/setup.py

    • Size

      941B

    • MD5

      eda4ba41910e22351b9181d552cf3b1c

    • SHA1

      bf2fa5977b13b6ae80a4a1915d8025f75eca16fd

    • SHA256

      1291ef03e04110780a294bb9608358901fb86ea235840fbd49ffe7beeb6c4da4

    • SHA512

      1f6bcfd592c408acc45ec680ca78d01f15ed5ff3a7aaa632410923f4b661de671d9a5db6dd14b1695dcad37979b053df2d9d3067be8d5a51687bc583fda89ed2

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Tasks