General
-
Target
VbN3DApa
-
Size
2KB
-
Sample
240515-hqfq1aeb46
-
MD5
d4f4f0d6954a3e724e9019dafe756eb7
-
SHA1
55676693aff704806894dba78577ac73abc9a24a
-
SHA256
ad853d0877e60d9f903ede78c34082b93e090cb5277ef9d0ff875553c953c255
-
SHA512
9d0d73867a2989fd132db563b9dd4e99806618b2597d84f5862d0aacaea89c7bf15a022f949d0b0cf5d3d43426f7ec675d58e7758fba7e27e3b644afa80cb107
Malware Config
Targets
-
-
Target
VbN3DApa
-
Size
2KB
-
MD5
d4f4f0d6954a3e724e9019dafe756eb7
-
SHA1
55676693aff704806894dba78577ac73abc9a24a
-
SHA256
ad853d0877e60d9f903ede78c34082b93e090cb5277ef9d0ff875553c953c255
-
SHA512
9d0d73867a2989fd132db563b9dd4e99806618b2597d84f5862d0aacaea89c7bf15a022f949d0b0cf5d3d43426f7ec675d58e7758fba7e27e3b644afa80cb107
Score10/10-
Cobalt Strike reflective loader
Detects the reflective loader used by Cobalt Strike.
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detect ZGRat V1
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Modifies boot configuration data using bcdedit
-
Contacts a large (543) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies Installed Components in the registry
-
Modifies Windows Firewall
-
Possible privilege escalation attempt
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Modifies system executable filetype association
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies powershell logging option
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4Event Triggered Execution
1Change Default File Association
1Defense Evasion
Subvert Trust Controls
2SIP and Trust Provider Hijacking
1Install Root Certificate
1Modify Registry
7Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Pre-OS Boot
1Bootkit
1