Overview

overview

10

Static

static

3

Sh1t.dll

windows7-x64

8

Sh1t.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Sh1t.dll

  • Size

    12.3MB

  • Sample

    240512-n6vgzsha52

  • MD5

    8d1e6c16a13ef1b1d8d681d6aa920e67

  • SHA1

    1f061ab5845a9ab887f1f1367016fc9600517e08

  • SHA256

    623afd3e2835f4a6b597f7aeec9301521778e3f82365d745e81de37f800bd1b7

  • SHA512

    b8052b50d8c7b25bacd4831417a83e6e40d351c712071f3cdceb167e498037e88e5b219646090a8f09e0b0246204432d5e28e1b644a640af332acf11d3ae35a6

  • SSDEEP

    196608:Hf8xXyVKVap/Xq/pefvyKEpb6O9DNe23Nn1cRTi+VVYAePVeRgUQWoWzUB+:/f1tqBefvTOhg0GrVY78oR0

Score
10/10
zgratexecutionrat

Malware Config

Targets

    • Target

      Sh1t.dll

    • Size

      12.3MB

    • MD5

      8d1e6c16a13ef1b1d8d681d6aa920e67

    • SHA1

      1f061ab5845a9ab887f1f1367016fc9600517e08

    • SHA256

      623afd3e2835f4a6b597f7aeec9301521778e3f82365d745e81de37f800bd1b7

    • SHA512

      b8052b50d8c7b25bacd4831417a83e6e40d351c712071f3cdceb167e498037e88e5b219646090a8f09e0b0246204432d5e28e1b644a640af332acf11d3ae35a6

    • SSDEEP

      196608:Hf8xXyVKVap/Xq/pefvyKEpb6O9DNe23Nn1cRTi+VVYAePVeRgUQWoWzUB+:/f1tqBefvTOhg0GrVY78oR0

    Score
    10/10
    executionzgratrat

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks