Overview

overview

10

Static

static

1

doc023561361500.cmd

windows7-x64

7

doc023561361500.cmd

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    15052024_1229_15052024_doc023561361500.Tar

  • Size

    892KB

  • Sample

    240515-pny8wshe95

  • MD5

    0134996420c1fae9221e39f78a0d2233

  • SHA1

    dd529a75b84fcf40c0545d9c83acd81ad3059626

  • SHA256

    368c416ec45d094456b80562f6c91d3c1371f35ed70a329ac7b28a17d0cc6b99

  • SHA512

    98abde62d08ec20ff18689d8cce1778ee1b473ead833f37d4e88408a80abc5449bbcbf284d640d2a6001412dc82229ea6a2ef582fd231eff0a6b03cbdce19778

  • SSDEEP

    12288:Kc6rcVTZAJZhhwChzJomBlnM6JyQTUWxOZFOhCZO1hXQFOPD7/rP6hy:KiTG+8zi+bJQWIFO71hXQMLd

Score
10/10
modiloaderzgratratspywarestealertrojan

Malware Config

Targets

    • Target

      doc023561361500.cmd

    • Size

      4.9MB

    • MD5

      d05bed0572c3ce597f3b4be7a2606c08

    • SHA1

      f621468b397308f1055afaf2f27814a390eb16ea

    • SHA256

      e84dd67c7831168c1d7a0f11a78d1e0497eb1cfa8689b25b291ee4b1b96826a4

    • SHA512

      4fbe7a932d91882491648b489ec1e2c349ec71423c071e3f751c130e51ae62881473a9feaf3d842c60ed2fb6922b59f0b611491145e84b07e7145efb0ca7ec79

    • SSDEEP

      24576:sYkuWvLHtSs/yfVZIC5z65HTGq42xfcJele9P2dxBJGhRC8Ih:sYkuWTcDXB65HPxfhleljIh

    Score
    10/10
    modiloaderzgratratspywarestealertrojan

    • Detect ZGRat V1

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • ModiLoader Second Stage

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks