zgrat | 26d0fdbb4bd6d3860f9e15d6311f2e28d36ff8df09aa51e945be368ed25f4255

Resubmissions

12-05-2024 21:19

240512-z6dd9aga9w 10

12-05-2024 21:19

240512-z55gcabc33 10

12-05-2024 20:53

240512-zpcrdsad49 10

12-05-2024 17:09

240512-vn594afe9s 10

Analysis

max time kernel
7s
max time network
7s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
Size

2.7MB
MD5

69cc2e20ea7a51666b8c14be90441073
SHA1

6a3c7d3267c5c2a679f5f41dff36c091dccfb337
SHA256

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24
SHA512

de565813d0ddfe491c367e78b2a11891a73859a04efd83d8f35a4a6f6a028a29c873750dc863d1dfca9c40f9b4778cb1882bf8c07b9609f8463db22ac912922a
SSDEEP

49152:nsul/s9YiZYGuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9uw:nJVsG+YRzsG1tQRjdih8rwcr

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2040-1-0x000001F820570000-0x000001F82081E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/2040-1-0x000001F820570000-0x000001F82081E000-memory.dmp	net_reactor

Drops startup file 3 IoCs

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVI6MT0qPLmQhQ6j.exe	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MVI6MT0qPLmQhQ6j.exe	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.CashRansomware	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

description	pid	Process
Token: SeDebugPrivilege	2040	958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
"C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata.CashRansomware

Filesize
16B

MD5
8998714f3c5580091470cf91644d1113

SHA1
86c9d1fa2604aad91ce63f820dfba9d731be470e

SHA256
d1a9d93498b6f020dd0fdad27f03f28d2e7ab53cc55a7eaa349a7ff9077c13ea

SHA512
61e611bce039763cf19fc0f0de2445e5a631b695001cbcca1cf06fd1c6c68e7f0f0ec857c2c6f5a28840b0d041030c1fedfad753ff553c45daa2404c430f4d57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.CashRansomware

Filesize
32B

MD5
cc27accdb1dcf3782dbd10b7ccd188f1

SHA1
a2d807ccf05e1348b2801219f7e296210255cca6

SHA256
41b5e4671f7fd47b9a33e8c19ff8eb724c4baab4875fbbb26c771d774eb0a383

SHA512
129284da9eabd9a687a7685dfd15c21d2483f654ad194a27de74e77bd5d3dbe0d13ceeff3b6db0ad6db58131e4ca48ec764b90ca6548dc5d24eb49015f2e5cb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.CashRansomware

Filesize
48B

MD5
98b3a8cbf54136de7b90e1ba697ac2af

SHA1
3ebef4867e86e78c2fe92030b8ead61a484366b6

SHA256
959628fa34098bf75faa628e96d7b00ac36f78807cb3f9177c1dc2dd4246c5fb

SHA512
7d8a979d0adc5fbf0c9d9ab85fcbf5f6e849be73d3df94e15d95ff6d757dd5c0195613f523802086d705f8625373431325e463a9f0b464c4462b8aa31afaa749

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2.CashRansomware

Filesize
8KB

MD5
2e8d749f44f56dfc80c11b0a41f61d6d

SHA1
2f32dee230d9a8562483977177f01f19500984d4

SHA256
be066c71e7aae664ff7fbf925ed5ea3ab3ba03173b2f2fa782783c30e90566bf

SHA512
06b98a4021e4f3d5993087b0b02be405ad68752f02f35fff09f27217f5a678d7827d685e5937d9394783f7a21caac949dc053dcc1414ba87c76ebaa2297a835b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0.CashRansomware

Filesize
8KB

MD5
74b2322aa9a50ad5b86c13eec5ef4b3c

SHA1
5c0c7d359f8c5172b7af2ee8a1bacbd55fa172ff

SHA256
79f0af02b0bdba1fd18ba28e239ba0371afdaafc5f683efdef23236853e732c8

SHA512
3d2ace5e0c3148b70e59a138ef8b9a9002b35dc6ef35549fb243bd8fa7135fe047277e4f54898e5820478e5ce5d393fcefb41bcd46c7d70a63843d9a7c8868e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.CashRansomware

Filesize
264KB

MD5
6e47984ac9e4bdc0c6997d4c982512e3

SHA1
da7168ec5c1ac7309d12c6d855aa501e64bf1b79

SHA256
edcba8a3435d65a80dfea212e8e1ae58f1e4d44f609fbb055a7b43d9bc4d9893

SHA512
6e346a7473fd6358c70263dcafb23b16fd212588f61c1034757547a59a2ff170e05718a2446ec2b1657a0eaf7b7851d49bad57481c37e169b676507fb127b74f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3.CashRansomware

Filesize
8KB

MD5
528fd0ee211a5950282e0bc46488a5d4

SHA1
a073f777d4e07eca2da2c38482d29bfd07745df8

SHA256
359bffd2ec316711af3ec573a65fa37baaebd4524f5dfdcb86e3f752f37a4732

SHA512
4cac52f314509b38bfb719e53f2de0e69f0112ee0d6abffbd2e5a256531240580901018d872844be58ca46647f66e34146b3041bc02d37fe3334b2d16d7d8854

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.CashRansomware

Filesize
8KB

MD5
50aabfea0110e1303a3f6394e2beeade

SHA1
2413c91ba6df3b30634fd0919958f7fbe0231fc1

SHA256
54634d4dd00bffa9ef2f65d2c71bbfd437c36c07e9d9b55cb3dd9a2f33d00735

SHA512
265724cb0dcfc0ca6e75c9e934e94db7bb73e1f3735a45628f8e6d3c969fcc88f4fbd6c110cb920dc81e591828967a9f9392adb3f5587f833af051af1d3333b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.CashRansomware

Filesize
48KB

MD5
e40ce712ab919de86ca7850caf1eae6c

SHA1
cfdf68b82d6a2262142c4f3687dbc00ce8b1b8d6

SHA256
9d58e5dd14f18c41243e89afa94304ac1c6107519a69ea8ba23250cc8778c4d8

SHA512
bfe4ae5f121da5ce08f8493e27dfde60bc9d743a0d252b9423ca554e5e7969999940a0cf668653fdf9e8ead1777a17f93b3c16da5aba0934434322102e9fd1f9

Download Submit
memory/2040-0-0x00007FFF166F3000-0x00007FFF166F5000-memory.dmp

Filesize
8KB

Download
memory/2040-1-0x000001F820570000-0x000001F82081E000-memory.dmp

Filesize
2.7MB

Download
memory/2040-2-0x00007FFF166F0000-0x00007FFF171B1000-memory.dmp

Filesize
10.8MB

Download