cobaltstrike

General

Target

GearWare.exe
Size

344KB
Sample

240508-nkl9gsab9s
MD5

a784a198b4e30a5e7cdae7a63868ce7a
SHA1

464fb3031192c7466e3e3cadd32a56aeffa3dca8
SHA256

ef702c84cb2c0c6953e82c8f77219170d4633ba16010a7e19ca7fafbe9a519b6
SHA512

4b3e7e3ea12b051b289776b78353a5418011825e3dfbd5e684e6a9f303c5d6e120652a3560da8f3063756b74314a50384dff3c7961b0d80da101d98b46e43ad1
SSDEEP

3072:/7DhdC6kzWypvaQ0FxyNTBf6UW0AW2Okz+OKJA81a:/BlkZvaF4NTBCUW0AW2OzOKo

Score

10^/10

Malware Config

Targets

- Target
  
  GearWare.exe
- Size
  
  344KB
- MD5
  
  a784a198b4e30a5e7cdae7a63868ce7a
- SHA1
  
  464fb3031192c7466e3e3cadd32a56aeffa3dca8
- SHA256
  
  ef702c84cb2c0c6953e82c8f77219170d4633ba16010a7e19ca7fafbe9a519b6
- SHA512
  
  4b3e7e3ea12b051b289776b78353a5418011825e3dfbd5e684e6a9f303c5d6e120652a3560da8f3063756b74314a50384dff3c7961b0d80da101d98b46e43ad1
- SSDEEP
  
  3072:/7DhdC6kzWypvaQ0FxyNTBf6UW0AW2Okz+OKJA81a:/BlkZvaF4NTBCUW0AW2OzOKo
Score

10^/10

cobaltstrike zgrat backdoor bootkit discovery evasion execution persistence rat spyware stealer trojan
- Cobalt Strike reflective loader
  Detects the reflective loader used by Cobalt Strike.
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Installed Components in the registry
  persistence
- Sets file execution options in registry
  persistence
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies powershell logging option
  evasion
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral1