Overview

overview

10

Static

static

3

Zeus 4.7.2.exe

windows10-2004-x64

10

ZeusHex-GUI.exe

windows10-2004-x64

1

Resubmissions

07-06-2024 15:13

240607-slps8aac5v 10

07-06-2024 15:11

240607-sk3zfsbb99 10

07-06-2024 15:08

240607-sh7vmaac2s 10

07-06-2024 15:05

240607-sgnqcsbb65 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Nicht bestätigt 879324.crdownload

  • Size

    1.4MB

  • Sample

    240607-sh7vmaac2s

  • MD5

    e3970ffa96653f138e63ad0148970dac

  • SHA1

    b466278571bc1b20f2cf767b2222c17449ee1dbc

  • SHA256

    5a32b1864bcb2d237aca956c3b7474c2de484c38cbaa608ab5ffc71214bae2b8

  • SHA512

    af9e28a39cda24521ad4239d8c616bffbb63a44ae3efedbf9320f83146b5ada758fc2d76fdba07e89bf9066088fd7159650b66c998549c49fbdade1022c0a163

  • SSDEEP

    24576:CvJwL1rOBrsdTKf8oyVJHOohsXiV61rbXWcbd7JFV9MGiwS5OlliRw+gj8jbpRtQ:yJwxrOBaTKf8NVtOPXdbNHFVKc/izgjz

Score
10/10
rhadamanthysevasionexecutionpersistencespywarestealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/e946dd91d069dd0a14070ddbc4920354650bd041/lem.rar

Targets

    • Target

      Zeus 4.7.2.exe

    • Size

      173KB

    • MD5

      28e0ba051ad84949cfedd2a58b1636cb

    • SHA1

      6ff46613adb7594c6abbe0ee9c64a68129501fb8

    • SHA256

      265013eb61e407130b8fe723809549000ffe4ad96ef6c5ad1945e2727cee5aa0

    • SHA512

      a14ea1a7e8756e15aee996c848006a1f2212acd753ca1629224b362fe8ef24331c49617f59bd84846b95a2143744418bbd78a4d0088efab76228344662ae67a4

    • SSDEEP

      3072:NPBBih6XScZZmmiyQrcR6qx6LAIxkN3wlCxvxrtJRscwX7zhhxXNrykAOkvpObQ:Nyh6XffliyQrC6LAIxkpwlOJrtJRscwi

    Score
    10/10
    rhadamanthysevasionexecutionpersistencespywarestealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      ZeusHex-GUI.dll

    • Size

      1.3MB

    • MD5

      ad714ee48d2e829c5012c65de6166c05

    • SHA1

      5880bac89ca346dae62c053aa49c028372388edd

    • SHA256

      7d32d13d123871650794a1e172adc70bc8dafbdb762f49d889f813844d532b20

    • SHA512

      a51252950455dbfb5dfd564689e605b022bdf26f80ad12f3fde3e341a14b8f764324ff3be6f29e4855bd499141e23628e9aabb0e439627dc802814db091d54ee

    • SSDEEP

      24576:ZfaPwrgBrO1BKH8jPcWYVxHCoh0XeV61r9qZWe7d7NWS91GsVz9cebgS9aI:ZCPwrgBWBKH8jkDVFCNXODzWS9HfX0HI

    Score
    1/10
    behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

System Information Discovery

7
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks