General
-
Target
Nicht bestätigt 879324.crdownload
-
Size
1.4MB
-
Sample
240607-sk3zfsbb99
-
MD5
e3970ffa96653f138e63ad0148970dac
-
SHA1
b466278571bc1b20f2cf767b2222c17449ee1dbc
-
SHA256
5a32b1864bcb2d237aca956c3b7474c2de484c38cbaa608ab5ffc71214bae2b8
-
SHA512
af9e28a39cda24521ad4239d8c616bffbb63a44ae3efedbf9320f83146b5ada758fc2d76fdba07e89bf9066088fd7159650b66c998549c49fbdade1022c0a163
-
SSDEEP
24576:CvJwL1rOBrsdTKf8oyVJHOohsXiV61rbXWcbd7JFV9MGiwS5OlliRw+gj8jbpRtQ:yJwxrOBaTKf8NVtOPXdbNHFVKc/izgjz
Static task
static1
Behavioral task
behavioral1
Sample
Zeus 4.7.2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
ZeusHex-GUI.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
https://rentry.org/lem61111111111/raw
Extracted
https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/e946dd91d069dd0a14070ddbc4920354650bd041/lem.rar
Targets
-
-
Target
Zeus 4.7.2.exe
-
Size
173KB
-
MD5
28e0ba051ad84949cfedd2a58b1636cb
-
SHA1
6ff46613adb7594c6abbe0ee9c64a68129501fb8
-
SHA256
265013eb61e407130b8fe723809549000ffe4ad96ef6c5ad1945e2727cee5aa0
-
SHA512
a14ea1a7e8756e15aee996c848006a1f2212acd753ca1629224b362fe8ef24331c49617f59bd84846b95a2143744418bbd78a4d0088efab76228344662ae67a4
-
SSDEEP
3072:NPBBih6XScZZmmiyQrcR6qx6LAIxkN3wlCxvxrtJRscwX7zhhxXNrykAOkvpObQ:Nyh6XffliyQrC6LAIxkpwlOJrtJRscwi
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
ZeusHex-GUI.dll
-
Size
1.3MB
-
MD5
ad714ee48d2e829c5012c65de6166c05
-
SHA1
5880bac89ca346dae62c053aa49c028372388edd
-
SHA256
7d32d13d123871650794a1e172adc70bc8dafbdb762f49d889f813844d532b20
-
SHA512
a51252950455dbfb5dfd564689e605b022bdf26f80ad12f3fde3e341a14b8f764324ff3be6f29e4855bd499141e23628e9aabb0e439627dc802814db091d54ee
-
SSDEEP
24576:ZfaPwrgBrO1BKH8jPcWYVxHCoh0XeV61r9qZWe7d7NWS91GsVz9cebgS9aI:ZCPwrgBWBKH8jkDVFCNXODzWS9HfX0HI
Score1/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1