Overview

overview

10

Static

static

3

creal.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    celex.rar

  • Size

    16.5MB

  • Sample

    240513-hagclaae5z

  • MD5

    110392842a089e38d4ad84b760078793

  • SHA1

    bee7a858404207e9e2fd5bf78c6c5d06d6f5485b

  • SHA256

    f24dfb8c41bce571703b6950ee437e1b54448251a0a06ed8360f6a72ab113c9e

  • SHA512

    041c14cb191db27d5d4592c698cfe78e4e3f12c2dfbb14a85918941ec70e62b5264f26315632e543503977d9f72766a2ffb35f1149aa040b7c5b14bbaf4ebd7f

  • SSDEEP

    393216:jNnvQe76XG8NzQV6Bhs0ZIN1JraE36dI+BDvq2pk1VE:vehNzt+dJraM6d1p5k1m

Score
10/10
zgratdiscoveryevasionpyinstallerratspywarestealer

Malware Config

Targets

    • Target

      creal.exe

    • Size

      16.2MB

    • MD5

      f35e7eb4d2495e4fcef369ab293fb9b4

    • SHA1

      28ae39be99ac6df812db772e8915625cef829271

    • SHA256

      663cada20309d3c56295067882b73f0218d2b50968f66ac9e3cdd7c91d9b4d26

    • SHA512

      c3fcf97ee27ccb0d72c755c287d3c05c3a48073db4e6aff7c63f296e33b648e5b738f60d697cd32432dabbbbcc6529701f56186211f6ffe65c24e6c658bced11

    • SSDEEP

      393216:fEkMD2n9JWQsUcR4NzQW+eGQRCMTozGxu8C0ibfz6e57v1TNm:fUDa9YQFIW+e5RLoztZ026e5BJm

    Score
    10/10
    zgratdiscoveryevasionratspywarestealer

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks