Resubmissions

13-05-2024 22:03

240513-1yc9ysga66 10

13-05-2024 21:55

240513-1svbaafb7s 10

13-05-2024 21:49

240513-1pmf9sff48 10

13-05-2024 07:47

240513-jmr6asga64 7

13-05-2024 07:44

240513-jksn2sch3w 7

12-05-2024 10:52

240512-myqy6abg9x 7

11-05-2024 13:06

240511-qcaxlaca29 3

11-05-2024 12:19

240511-phhzqaaf23 3

11-05-2024 12:07

240511-paandaab47 3

General

  • Target

    Loader.exe

  • Size

    347KB

  • Sample

    240513-1yc9ysga66

  • MD5

    1cb742cb95699d994e1cc6810c6f7642

  • SHA1

    103ea603322859742a3e51c5e517a927b9dcd40c

  • SHA256

    c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70

  • SHA512

    79f9a70232b3470ef9386d9b3d987b5370d0562959315d8239509000a1aa9274b13cecc4c6c871cd4d258a0cd19d30574e3280edd54fb108b6ffca7d8c7e4795

  • SSDEEP

    6144:RrwFDD0tZzmf7GxMLEYaEzE2d9JK5/J1pZKM35QM6KkfiruhbOuzB:Rg07e7seE2dK71rKu5Q6kfirIbOuF

Malware Config

Targets

    • Target

      Loader.exe

    • Size

      347KB

    • MD5

      1cb742cb95699d994e1cc6810c6f7642

    • SHA1

      103ea603322859742a3e51c5e517a927b9dcd40c

    • SHA256

      c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70

    • SHA512

      79f9a70232b3470ef9386d9b3d987b5370d0562959315d8239509000a1aa9274b13cecc4c6c871cd4d258a0cd19d30574e3280edd54fb108b6ffca7d8c7e4795

    • SSDEEP

      6144:RrwFDD0tZzmf7GxMLEYaEzE2d9JK5/J1pZKM35QM6KkfiruhbOuzB:Rg07e7seE2dK71rKu5Q6kfirIbOuF

    • Detect ZGRat V1

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks