Overview

overview

10

Static

static

1

uTorrent(1).exe

windows10-2004-x64

8

uTorrent(1).exe

windows11-21h2-x64

8

utorrent(1...er.exe

windows10-2004-x64

10

utorrent(1...er.exe

windows11-21h2-x64

10

utorrent(1...nt.exe

windows10-2004-x64

8

utorrent(1...nt.exe

windows11-21h2-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    uTorrent(1).zip

  • Size

    17.6MB

  • Sample

    240506-vam7csae4z

  • MD5

    9fbdd9604d31aa30e17be88be177953b

  • SHA1

    600b570e746a570509c444f82b9013dc778f119b

  • SHA256

    086444e61a1301704bafe1b96f5e8089b03de564575decb6c1fd8482da8d84ef

  • SHA512

    0f84abd934565bd025c26016740fd5b04f9c800be4534a0615e840e69acfe9589502ae9a901b18256215dd9ab6a611dc8ef5bd9913ded3dcfaa141c43ce4d72c

  • SSDEEP

    393216:XlSzDMrPVRpXIX5T66GDjfBxX/dXGX5qiN6BSdCbUGJ:XMQZkhGn7PYJN6y4

Score
10/10
zgratbootkitdiscoveryevasionexecutionpersistenceratspywarestealertrojanupx

Malware Config

Targets

    • Target

      uTorrent(1).exe

    • Size

      4.9MB

    • MD5

      27f55ef050816065b68d2c6e115fa01e

    • SHA1

      e10f97214512882b331dc39461ac3ac02d3e1eab

    • SHA256

      2111a4cf740c377f0d7ae7e80c0a0d718bcf473706b2b4363453c0efea3e0109

    • SHA512

      1f193ba1b81402d91e0482f89c289942c4dfdd59ba0bf3efa2c593672071c6c881f8b6bf2eb48da4a439cdf5e7f14f2a26a3e47c4588e9f3d6150eb3b9037457

    • SSDEEP

      98304:YG5QggAq5AMNHk4IP0k0EV0r3R8gF06gZlVPwEqmvdNqrA:YG5QrAM9kXck0r3Z0BHVPw+TD

    Score
    8/10
    bootkitdiscoveryevasionexecutionpersistencespywarestealertrojanupx

    • Stops running service(s)

      evasionexecution

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Checks whether UAC is enabled

      evasiontrojan

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Sets file execution options in registry

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      utorrent(1)/adguardinstaller.exe

    • Size

      142KB

    • MD5

      cd3581d9db9d066b4c08a42df3d6c1ac

    • SHA1

      deb0c2bcc63cd5f8b6e63a00cbf731475045898e

    • SHA256

      17eeb4a4eec555bdcbb1bd52be92d1b766c402e9ebd320fe3134a9f7d349fcb2

    • SHA512

      4218916a98a9c8816e780744dd7ef9679c000fba219ad21f9188c4421bd6afaebedc2d57382b97fb20c7b230e498f61d7ce606713c0a064158237d79563b819d

    • SSDEEP

      3072:K4qZHnMyBV3vChLFvGyfmKvK9MkBrF8wvFx+:K4qZHdV3vevK9MkhRvW

    Score
    10/10
    zgratdiscoverypersistencerat

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies Installed Components in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      utorrent(1)/utorrent.exe

    • Size

      12.9MB

    • MD5

      0ea2aefff9bb3d1eda00132f6728ab91

    • SHA1

      532729897258b14aded3cb527ab21f97d8d3b5d7

    • SHA256

      456fbc2ec2202b9f253913c63a4d6fa29992d30296c16b920af093209f924674

    • SHA512

      baf1f30dc1f2c1d49bf8d044e7bb607306ace240f454b74156e923a764449058109ff049fb6e66002b86cecf82ddc9dd7ea28e216da75542b6c48cfa48f3ddd8

    • SSDEEP

      393216:erJzyNIOnrJXOzkxMOI1Xrh5z5MTYbN0w:edIxpnE9BY0R

    Score
    8/10
    discoveryevasionpersistencespywarestealerupx

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

4
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

4
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

6
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

2
T1553

Install Root Certificate

1
T1553.004

SIP and Trust Provider Hijacking

1
T1553.003

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

8
T1012

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

System Information Discovery

8
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks