growtopia | 17a451a55f760f6f99545b60f3c5bda02eb7ca8a4174bc53dbbb4ea5d6da6520 | Triage

Submit
Reports

Overview

overview

Static

static

3

Vespy/Vesp...er.exe

windows10-2004-x64

Sharing

General

Target

Vespy_Reborn.zip
Size

12.7MB
Sample

240508-wy4dxsgh3t
MD5

509f2c3b16693d6f5567a4a6dffde364
SHA1

cf39af0140ebe861cf2af42021d52ecfad17f159
SHA256

17a451a55f760f6f99545b60f3c5bda02eb7ca8a4174bc53dbbb4ea5d6da6520
SHA512

68c33171dbeac8c7b62d9049b3aa5bf051693600e12e6f904ac523920146cd51941aeca5c9b12ce9a2aec3f56d009887e6fc11408b0d47fb8a25fb68e55aef21
SSDEEP

393216:Z9Urth+b05ydAwy3rYXIaMm4MQDY/5Hy74:Z3jSF7YXBMm4MEY5Hy74

Score

10^/10

growtopia xenorat zgrat evasion execution persistence pyinstaller rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Vespy/VespyGrabberBuilder.exe

Resource

win10v2004-20240508-en

growtopia xenorat zgrat evasion execution persistence pyinstaller rat stealer trojan

windows10-2004-x64

26 signatures

1800 seconds

Malware Config

Extracted

Family

growtopia

C2

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Extracted

Family

xenorat

C2

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8913d

Attributes

delay
5000
install_path
temp
port
45010
startup_name
WindowsErrorHandler

Targets

- Target
  
  Vespy/VespyGrabberBuilder.exe
- Size
  
  12.6MB
- MD5
  
  fab385fb154644665f94aca9424fb0ce
- SHA1
  
  8dc525108cebd97b3127129cc1633a7f31010424
- SHA256
  
  c08b63c50a78ca119a5ff4fe10592a0f66289708df38349e91e645214aae7576
- SHA512
  
  07def38b8590ebaa95d7213e77e3892f60f10a87cef797fa07c6feb033f08d4148024360c7c32b5f92441c41236b8a86e66cee59bb51d6fbde97b86923a640e3
- SSDEEP
  
  393216:NayDfg/3Y8G6jgVINcfwt+F2CZZiLe2Wq:wyDfYPwPwtO2Mie2J
Score

10^/10

growtopia xenorat zgrat evasion execution persistence pyinstaller rat stealer trojan
- Detect ZGRat V1
- Growtopia
  Growtopa is an opensource modular stealer written in C#.
  stealer growtopia
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

growtopiaxenoratzgratevasionexecutionpersistencepyinstallerratstealertrojan

© 2018-2025

Terms | Privacy