Overview

overview

10

Static

static

3

fbb6ba1836...KI.dll

windows7-x64

10

fbb6ba1836...KI.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 06:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbb6ba1836914f33ecaa3cb35d51fab0_NEIKI.dll

  • Size

    445KB

  • MD5

    fbb6ba1836914f33ecaa3cb35d51fab0

  • SHA1

    19afb4d0600ecde28daceaa0f620a84aa49017a4

  • SHA256

    0d66f94c73dcb872d635e9fd741ee6b83b39b2c06149bdf20897985a0515ede8

  • SHA512

    1c56730907e62f2e25c4aacc95b92a548a3f8d5b0f84a27e360d5f3cd49b5e2abba1838057df4c2458552f89c9e8a76d87b489f537b304bc7c2664004f3ae1ee

  • SSDEEP

    12288:E/q4BLbIVjQ8kitrxU3IuIjplqzHZni0i8Bz9:twbIVjQ8trxisXoZ4y

Score
10/10
zgratratspyware

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fbb6ba1836914f33ecaa3cb35d51fab0_NEIKI.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\fbb6ba1836914f33ecaa3cb35d51fab0_NEIKI.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4472
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4856-0-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/4856-1-0x000000007462E000-0x000000007462F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4856-2-0x0000000005EF0000-0x0000000006494000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4856-3-0x0000000005940000-0x00000000059D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4856-4-0x0000000074620000-0x0000000074DD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4856-5-0x00000000059E0000-0x00000000059EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4856-6-0x0000000008CE0000-0x00000000092F8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4856-7-0x0000000008810000-0x000000000891A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4856-8-0x0000000008740000-0x0000000008752000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4856-9-0x00000000087A0000-0x00000000087DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4856-10-0x0000000008920000-0x000000000896C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4856-11-0x0000000008A90000-0x0000000008AF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4856-12-0x0000000009400000-0x0000000009476000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4856-13-0x0000000008C70000-0x0000000008C8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4856-14-0x000000000A1A0000-0x000000000A362000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4856-15-0x000000000A8A0000-0x000000000ADCC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4856-17-0x0000000074620000-0x0000000074DD0000-memory.dmp

    Filesize

    7.7MB

    Download