Overview

overview

10

Static

static

3

Vespy/Vesp...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Vespy_Reborn.zip

  • Size

    12.7MB

  • Sample

    240508-wy4dxsgh3t

  • MD5

    509f2c3b16693d6f5567a4a6dffde364

  • SHA1

    cf39af0140ebe861cf2af42021d52ecfad17f159

  • SHA256

    17a451a55f760f6f99545b60f3c5bda02eb7ca8a4174bc53dbbb4ea5d6da6520

  • SHA512

    68c33171dbeac8c7b62d9049b3aa5bf051693600e12e6f904ac523920146cd51941aeca5c9b12ce9a2aec3f56d009887e6fc11408b0d47fb8a25fb68e55aef21

  • SSDEEP

    393216:Z9Urth+b05ydAwy3rYXIaMm4MQDY/5Hy74:Z3jSF7YXBMm4MEY5Hy74

Score
10/10
growtopiaxenoratzgratevasionexecutionpersistencepyinstallerratstealertrojan

Malware Config

Extracted

Family

growtopia

C2

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Extracted

Family

xenorat

C2

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8913d

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    45010

  • startup_name

    WindowsErrorHandler

Targets

    • Target

      Vespy/VespyGrabberBuilder.exe

    • Size

      12.6MB

    • MD5

      fab385fb154644665f94aca9424fb0ce

    • SHA1

      8dc525108cebd97b3127129cc1633a7f31010424

    • SHA256

      c08b63c50a78ca119a5ff4fe10592a0f66289708df38349e91e645214aae7576

    • SHA512

      07def38b8590ebaa95d7213e77e3892f60f10a87cef797fa07c6feb033f08d4148024360c7c32b5f92441c41236b8a86e66cee59bb51d6fbde97b86923a640e3

    • SSDEEP

      393216:NayDfg/3Y8G6jgVINcfwt+F2CZZiLe2Wq:wyDfYPwPwtO2Mie2J

    Score
    10/10
    growtopiaxenoratzgratevasionexecutionpersistencepyinstallerratstealertrojan

    • Detect ZGRat V1

    • Growtopia

      Growtopa is an opensource modular stealer written in C#.

      stealergrowtopia

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Creates new service(s)

      persistenceexecution

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks