General
-
Target
TT ViewBot Tool.rar
-
Size
2.5MB
-
Sample
240507-e3mhjahf8y
-
MD5
2d8e0aacc4d03e584d72dab765035fe3
-
SHA1
9e8873ee30ef69abb762781db025ecee0d6be817
-
SHA256
0aa3a8f7bd8f94484b0435e72e292744161b0707186f94845b7b6b54ac8f874d
-
SHA512
366a66c845b7a24da8416a4765f11e511fd8dc526e083190dfa5bc8a874f71d5cb155da72aae01d5173b4136e1ad41afd9a5e8437264c4c5c097442fef3298df
-
SSDEEP
49152:8lV1gGgvC7f0OoqKFKdoOyO29o4wZzboGJDY8BtKr:moGhocdxyDo9boGi2O
Malware Config
Targets
-
-
Target
TT ViewBot Tool.rar
-
Size
2.5MB
-
MD5
2d8e0aacc4d03e584d72dab765035fe3
-
SHA1
9e8873ee30ef69abb762781db025ecee0d6be817
-
SHA256
0aa3a8f7bd8f94484b0435e72e292744161b0707186f94845b7b6b54ac8f874d
-
SHA512
366a66c845b7a24da8416a4765f11e511fd8dc526e083190dfa5bc8a874f71d5cb155da72aae01d5173b4136e1ad41afd9a5e8437264c4c5c097442fef3298df
-
SSDEEP
49152:8lV1gGgvC7f0OoqKFKdoOyO29o4wZzboGJDY8BtKr:moGhocdxyDo9boGi2O
Score10/10-
Detect ZGRat V1
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
TT ViewBot v2.0/.gitignore
-
Size
2KB
-
MD5
da211c7c93bf4e8861af1dc2616c9548
-
SHA1
eb7d1ec41dbdbf2a89c4c62000b0f6b8313d8c15
-
SHA256
fcc9443ae95fc4cfd56aed31937d8060e03212a92707615fed5ee59e0b38def6
-
SHA512
75c7e19808d263a91d226722d36f5c93cfa02607557977abe10e6c79714e012c98182fabb048e630ec647c937246a29deb5a888419cc00cb4b195c378918b7de
Score3/10 -
-
-
Target
TT ViewBot v2.0/Data/Lists.py
-
Size
2KB
-
MD5
58b844082767dd40b291276087b6323b
-
SHA1
41748aed3409eeb4be7a8d53b98a81fcfff2323d
-
SHA256
b21702251cf0e88c166088d4e08294b2b0c2f961da8056ac48c735243d554279
-
SHA512
f50268442358d511424d649603ce701cda7bb885cdfe005c8fbcdbde2b47784102b7196438d664ef4c32b5c317ad9e9b8ec7f1ed741d3aef399f378149c61547
Score3/10 -
-
-
Target
TT ViewBot v2.0/Data/Proxies.txt
-
Size
412KB
-
MD5
479410925b7fca43cfd87c5867cc65f2
-
SHA1
af0baeafb8614455a111f206f21fe59178b8417d
-
SHA256
23725e00d9dacec4e1fdc3c2a2fb7d20743873a1f9cf9d66d0cd0069e70cb0b3
-
SHA512
fc78d7aa7b857850f4599cd9a209daeb386d7e2ecad1e3b5dd81befae97d2c8f94001d91260fc3468236b4729a9ff4a36d78422c24024a2a5caa178b347220a1
-
SSDEEP
3072:KN8g/BwMNyWrUMLmshrPlwDS4MYXLr0RrC:AWMx0ePy/
Score1/10 -
-
-
Target
TT ViewBot v2.0/Data/ScrapProxie.py
-
Size
8KB
-
MD5
005e6b6cd75e6fd6040731c64494e537
-
SHA1
86f24fc5aad569829e0651bdcd607168c19c58f6
-
SHA256
8fd6afc4c92b8c65eb96a7493e559c83449578fcf178e20d9d126b411eead5e5
-
SHA512
a16848eda731c6e7591b94a7291095a19fca11ecdd2e4b1e55306f28b288bc473f2bad97bb505c0c8fd4d3a7e7227103427ac5aed1bf6bd3b21f6bce3e785931
-
SSDEEP
96:QSGcG6lghWnE559ZlWoxKMk59Vp+pvey9t9c9xsRvRxY1K7DpCgkTli:P659ZwoxKMW9Vp+pmYHexscU9j
Score3/10 -
-
-
Target
TT ViewBot v2.0/Data/UserAgent.py
-
Size
1.0MB
-
MD5
0c9b29e6b8291144a8a1c7b190accbe5
-
SHA1
a5946876fb6de43a28c9b3d3b783c755f74f41f1
-
SHA256
8ec04b593bbf03b344809ebca690dcec7bc082bccd0e28d3b4931b371ab044c9
-
SHA512
cc8ad93051da8b447064d4c3dbaab624b8fa4516874358a1dfe2d52ac03a87f104b6cae8b036c42c87c7d9b1946138d9a0f4f7f5ed2db62b0a771901e1ec5cfe
-
SSDEEP
384:UKxzhaSY5IiEgeBLPxKQheqwF3zdU49rdobwjkH6g6QcOHcoR8AnaREHszt3Y3fO:e
Score3/10 -
-
-
Target
TT ViewBot v2.0/LICENSE
-
Size
1KB
-
MD5
92cd1aa46af18db848c738b5381d5776
-
SHA1
c641b7693442a778b4103b633e533efdc8f62f4a
-
SHA256
98dc91fe998ed0c083e5f54bd7b4b86455db81cbe0f90833d6eb1c029f4c49b8
-
SHA512
00468089eb4186f41ced4518f0dcf43b7defdd06a6100e7a3758c6b2639a1c6bc5be3ea0daa9cb6cd9b663d6aac14bd330899d10bf61fdfe1aafc4a54bef93b9
Score1/10 -
-
-
Target
TT ViewBot v2.0/README.md
-
Size
1KB
-
MD5
a7a864f27133423e30394af410cb4782
-
SHA1
b8d68d24ac5f3e77ded17db50a0da503f052ddcb
-
SHA256
04ac4efd3bba8ac958cd3a73fef70715703c62f8deb962d12b13249c7b2ae3f6
-
SHA512
3948d046f0d49116a2112f229cb273a91cfd217b9b5aefe9eec5a5954bf5377be4cb05984b1313a3ea4deb847084ed84f2fb3f987dc14e1752b85088e8c1ba50
Score3/10 -
-
-
Target
TT ViewBot v2.0/bot_start.exe
-
Size
2.5MB
-
MD5
bf4a8b1ff2f896acac3e7ace357abfca
-
SHA1
c1bd1b3d2959d844f6b4e339f45d3749667df3e1
-
SHA256
e0d1d7c74b52bbd40f5dc85cb9b3ab69ae750d8fc3f5fbd15a98eed616c1ce8e
-
SHA512
fd7082a905540e23a5c5b6fd2717c0255ede2680bef16076f174d417bbeef4694e2fa82a8f9e0407cc160344cc194edd19ab40901b468c1695a1b8773e23e494
-
SSDEEP
49152:Tfx0DZfVUfCnJA3bxBLbsgyGKEQYdfT3kVYCNN5oUpwmJFkjQuQLLOet:l4ZnIlBvyGKJA3kVD4lIl7r
Score10/10-
Detect ZGRat V1
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
TT ViewBot v2.0/setup.py
-
Size
941B
-
MD5
eda4ba41910e22351b9181d552cf3b1c
-
SHA1
bf2fa5977b13b6ae80a4a1915d8025f75eca16fd
-
SHA256
1291ef03e04110780a294bb9608358901fb86ea235840fbd49ffe7beeb6c4da4
-
SHA512
1f6bcfd592c408acc45ec680ca78d01f15ed5ff3a7aaa632410923f4b661de671d9a5db6dd14b1695dcad37979b053df2d9d3067be8d5a51687bc583fda89ed2
Score3/10 -