General
-
Target
15052024_1229_15052024_doc023561361500.Tar
-
Size
892KB
-
Sample
240515-pny8wshe95
-
MD5
0134996420c1fae9221e39f78a0d2233
-
SHA1
dd529a75b84fcf40c0545d9c83acd81ad3059626
-
SHA256
368c416ec45d094456b80562f6c91d3c1371f35ed70a329ac7b28a17d0cc6b99
-
SHA512
98abde62d08ec20ff18689d8cce1778ee1b473ead833f37d4e88408a80abc5449bbcbf284d640d2a6001412dc82229ea6a2ef582fd231eff0a6b03cbdce19778
-
SSDEEP
12288:Kc6rcVTZAJZhhwChzJomBlnM6JyQTUWxOZFOhCZO1hXQFOPD7/rP6hy:KiTG+8zi+bJQWIFO71hXQMLd
Malware Config
Targets
-
-
Target
doc023561361500.cmd
-
Size
4.9MB
-
MD5
d05bed0572c3ce597f3b4be7a2606c08
-
SHA1
f621468b397308f1055afaf2f27814a390eb16ea
-
SHA256
e84dd67c7831168c1d7a0f11a78d1e0497eb1cfa8689b25b291ee4b1b96826a4
-
SHA512
4fbe7a932d91882491648b489ec1e2c349ec71423c071e3f751c130e51ae62881473a9feaf3d842c60ed2fb6922b59f0b611491145e84b07e7145efb0ca7ec79
-
SSDEEP
24576:sYkuWvLHtSs/yfVZIC5z65HTGq42xfcJele9P2dxBJGhRC8Ih:sYkuWTcDXB65HPxfhleljIh
Score10/10-
Detect ZGRat V1
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
ModiLoader Second Stage
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-