General
-
Target
utorrent(2).zip
-
Size
4.4MB
-
Sample
240506-vct3padh29
-
MD5
13f4e2ae5a5fa3b5bab66e7ff3f969f2
-
SHA1
27f35bc4ad3ceeaba65d9cd5a094a0d1a6cfefa4
-
SHA256
35f087ef288829bd545c2493a3be65386a002aeb9f4d6f349558a88c4e5e7f3e
-
SHA512
3543177ca371118077a951bd9291d6fa14896dbe703f6b992726a60fe88c449dec12ba0870fb68ad75bc82a176b0d843755aebbdbf2e495b0edcd1f7603e85bb
-
SSDEEP
98304:oGCHry8tOhk0DBYXjQQ/OIEJlV6/t3olM2EcYSnowRSyTZRv+uMpST+zm6WZJ:oGCLyb7DBYzQ/LJC3svEcYSowR1Z9+pg
Malware Config
Targets
-
-
Target
utorrent(2).exe
-
Size
4.6MB
-
MD5
866808a07c4201225a9796f15fab45ab
-
SHA1
614b66c09ea144fa42ec2e0a8d71c682fee7a36c
-
SHA256
d2c62bdc4d4bbf2e511383361710d0491eb15380683ec2c81e8f9de8ae0e3faf
-
SHA512
3b8292689d6e9fbc8328610bdf5acf7f21da2ce1b157c22aa3f52e693d136ac984753b219d3ea6fe8d18ea8ef06667b476a0a6c3841e3777acde53d1c322dc64
-
SSDEEP
98304:xW6TB4MNOR0GJn4VpQADOEsXlR+RXNGPoCWP2+sIYdGMhrpEE6hKBuVMCaFE:A6945PJn47QhfXCNGJWP2+sIYdDr+NA0
Score10/10-
Detect ZGRat V1
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Sets file execution options in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Scheduled Task/Job
1Defense Evasion
Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1