Analysis Overview
SHA256
deaf3e009a0a9df61e84c2befdb5db10599f47c03fbdefbbdce83aac3a969cd1
Threat Level: Known bad
The file deaf3e009a0a9df61e84c2befdb5db10599f47c03fbdefbbdce83aac3a969cd1 was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Detect ZGRat V1
Zgrat family
ZGRat
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-08 23:59
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Zgrat family
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-08 23:59
Reported
2024-05-09 00:04
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1936 set thread context of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\deaf3e009a0a9df61e84c2befdb5db10599f47c03fbdefbbdce83aac3a969cd1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\deaf3e009a0a9df61e84c2befdb5db10599f47c03fbdefbbdce83aac3a969cd1.exe
"C:\Users\Admin\AppData\Local\Temp\deaf3e009a0a9df61e84c2befdb5db10599f47c03fbdefbbdce83aac3a969cd1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
Files
memory/1936-0-0x000000007407E000-0x000000007407F000-memory.dmp
memory/1936-1-0x0000000000390000-0x000000000040A000-memory.dmp
memory/1936-2-0x0000000074070000-0x000000007475E000-memory.dmp
memory/1936-5-0x0000000074070000-0x000000007475E000-memory.dmp
memory/2084-18-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2084-15-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2084-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2084-12-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2084-11-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2084-10-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2084-8-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2084-6-0x0000000000400000-0x000000000045C000-memory.dmp
memory/2084-19-0x0000000000400000-0x000000000045C000-memory.dmp
memory/1936-20-0x0000000074070000-0x000000007475E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-08 23:59
Reported
2024-05-09 00:04
Platform
win10-20240404-en
Max time kernel
195s
Max time network
299s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma Stealer
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5032 set thread context of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\deaf3e009a0a9df61e84c2befdb5db10599f47c03fbdefbbdce83aac3a969cd1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\deaf3e009a0a9df61e84c2befdb5db10599f47c03fbdefbbdce83aac3a969cd1.exe
"C:\Users\Admin\AppData\Local\Temp\deaf3e009a0a9df61e84c2befdb5db10599f47c03fbdefbbdce83aac3a969cd1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | miniaturefinerninewjs.shop | udp |
| US | 104.21.30.191:443 | miniaturefinerninewjs.shop | tcp |
| US | 8.8.8.8:53 | 191.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | acceptabledcooeprs.shop | udp |
| US | 172.67.180.137:443 | acceptabledcooeprs.shop | tcp |
| US | 8.8.8.8:53 | obsceneclassyjuwks.shop | udp |
| US | 8.8.8.8:53 | 137.180.67.172.in-addr.arpa | udp |
| US | 172.67.192.5:443 | obsceneclassyjuwks.shop | tcp |
| US | 8.8.8.8:53 | zippyfinickysofwps.shop | udp |
| US | 172.67.148.231:443 | zippyfinickysofwps.shop | tcp |
| US | 8.8.8.8:53 | plaintediousidowsko.shop | udp |
| US | 104.21.53.146:443 | plaintediousidowsko.shop | tcp |
| US | 8.8.8.8:53 | 231.148.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.192.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sweetsquarediaslw.shop | udp |
| US | 104.21.44.201:443 | sweetsquarediaslw.shop | tcp |
| US | 8.8.8.8:53 | holicisticscrarws.shop | udp |
| US | 172.67.183.72:443 | holicisticscrarws.shop | tcp |
| US | 8.8.8.8:53 | boredimperissvieos.shop | udp |
| US | 172.67.186.30:443 | boredimperissvieos.shop | tcp |
| US | 8.8.8.8:53 | 146.53.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.186.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/5032-0-0x000000007370E000-0x000000007370F000-memory.dmp
memory/5032-1-0x0000000000210000-0x000000000028A000-memory.dmp
memory/5032-2-0x0000000073700000-0x0000000073DEE000-memory.dmp
memory/4924-5-0x0000000000400000-0x000000000045C000-memory.dmp
memory/5032-11-0x0000000073700000-0x0000000073DEE000-memory.dmp
memory/5032-10-0x0000000073700000-0x0000000073DEE000-memory.dmp
memory/4924-12-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4924-9-0x0000000000400000-0x000000000045C000-memory.dmp
memory/5032-13-0x0000000073700000-0x0000000073DEE000-memory.dmp