General

  • Target

    gbound.hta

  • Size

    9KB

  • Sample

    240513-d775cshf4t

  • MD5

    344020eda12e49be499998ace856ed47

  • SHA1

    f0a7431a73e7cb0be73fbc588bd91cf173f672d3

  • SHA256

    355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4

  • SHA512

    c3a949de4b8d79b84be37d4b4695a7ccde2b2da583ef998442cb0d9a7191756bcf3d67cf5c2da476f3590823177d07355a9151df32c10d259a32bc4f1fea3b90

  • SSDEEP

    192:w1YCCf214wpenCk59zcntnonzcE6LChVg+D0SDs/:w/Cf214UenCkncntnonzcE6kVgmRs/

Malware Config

Targets

    • Target

      gbound.hta

    • Size

      9KB

    • MD5

      344020eda12e49be499998ace856ed47

    • SHA1

      f0a7431a73e7cb0be73fbc588bd91cf173f672d3

    • SHA256

      355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4

    • SHA512

      c3a949de4b8d79b84be37d4b4695a7ccde2b2da583ef998442cb0d9a7191756bcf3d67cf5c2da476f3590823177d07355a9151df32c10d259a32bc4f1fea3b90

    • SSDEEP

      192:w1YCCf214wpenCk59zcntnonzcE6LChVg+D0SDs/:w/Cf214UenCkncntnonzcE6kVgmRs/

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks