Overview

overview

10

Static

static

10

zvgfd-main...iz.bat

windows10-2004-x64

1

zvgfd-main...lt.exe

windows10-2004-x64

zvgfd-main/Client.bat

windows10-2004-x64

10

zvgfd-main...lt.exe

windows10-2004-x64

zvgfd-main... .exe

windows10-2004-x64

10

zvgfd-main...ol.exe

windows10-2004-x64

10

zvgfd-main...ol.exe

windows10-2004-x64

10

zvgfd-main...ve.bat

windows10-2004-x64

10

zvgfd-main...ve.exe

windows10-2004-x64

10

zvgfd-main...ke.bat

windows10-2004-x64

10

zvgfd-main...V2.exe

windows10-2004-x64

10

zvgfd-main...ll.exe

windows10-2004-x64

10

zvgfd-main...up.exe

windows10-2004-x64

8

zvgfd-main/Output.exe

windows10-2004-x64

10

zvgfd-main/Part 1.bat

windows10-2004-x64

10

zvgfd-main/Part 2.bat

windows10-2004-x64

1

zvgfd-main...om.exe

windows10-2004-x64

1

zvgfd-main...er.exe

windows10-2004-x64

10

zvgfd-main/Server.exe

windows10-2004-x64

10

zvgfd-main/Uni.exe

windows10-2004-x64

10

zvgfd-main/Uni.exe

windows10-2004-x64

10

zvgfd-main...ol.exe

windows10-2004-x64

10

zvgfd-main...ol.exe

windows10-2004-x64

10

zvgfd-main...nt.exe

windows10-2004-x64

10

zvgfd-main...st.exe

windows10-2004-x64

10

zvgfd-main/asjdfg.exe

windows10-2004-x64

10

zvgfd-main...-3.dll

windows10-2004-x64

3

zvgfd-main...h2.dll

windows10-2004-x64

3

zvgfd-main...-3.dll

windows10-2004-x64

1

zvgfd-main/main.exe

windows10-2004-x64

7

zvgfd-main/ncat.exe

windows10-2004-x64

1

zvgfd-main...ad.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    zvgfd-main.zip

  • Size

    123.6MB

  • Sample

    240715-tpvdjs1hjb

  • MD5

    a170446d1d2d2eb41b08b5a08485947e

  • SHA1

    4e6a9ef9b27af106095caac108460cdd60149d08

  • SHA256

    9618961af8c6db27588c649679634bec7ece8fabd3e48f02f33ac0b837b56d2e

  • SHA512

    29500ec700a3c1d49ef8a2a5c9a7fd2d07ff9751010bdf8315e30a363abd7c41da4e9516b9e03b2d3f8070e190260badbe60677c8244dcbcde8d244e75df00a4

  • SSDEEP

    3145728:5657EaSGIatajJdVlbxIytnRu+7KXSSxuF6NWd20nPME:5657EUaTbxIMnvXSxumWtv

Score
10/10
agentteslaasyncratempyreanmetasploitquasarxwormdefaultquasarslavetestingbackdoorbootkitexecutionpersistenceprivilege_escalationpyinstallerratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

C2

super-nearest.gl.at.ply.gg:17835

best-bird.gl.at.ply.gg:27196

75.24.104.157:4782

wiz.bounceme.net:6000
Attributes
  • Install_directory

    %ProgramData%

aes.plain

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

stop-largely.gl.at.ply.gg:27116

75.24.104.157:4480

127.0.0.1:4480

192.168.1.120:4480
Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes
  • encryption_key

    WyBm1iVkHZmEnGPMAZWV

  • install_name

    $phantom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    $phantomSTARTUP~MSF

  • subdirectory

    $phantom

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

75.24.104.157:3232
Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain
aes.plain
aes.plain
aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

147.185.221.205:52809

Mutex

FANTA~69

Attributes
  • delay

    1

  • install

    false

  • install_file

    Update.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Quasar

C2

127.0.0.1:4480

192.168.1.124:4480

192.168.1.66:4480

75.24.104.157:4480
Mutex

aa808c2e-3fed-4497-9777-f969d0c4099f

Attributes
  • encryption_key

    39F4DDA965B4B8B90B952D0DFCE58CAD3F94ED0F

  • install_name

    $-Online-WRE.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    $-Recov-Sys

Extracted

Family

quasar

Attributes
  • reconnect_delay

    5000

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:4782

192.168.1.66:4782

75.24.104.157:4782

192.168.1.120:4782

75.24.104.157:7000
Mutex

56wFqcXlNlL4av7L

Attributes
  • Install_directory

    %Public%

  • install_file

    $77-Update.exe

aes.plain
aes.plain
aes.plain
aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

version-brings.gl.at.ply.gg:58939

Mutex

udcw85wJfrM9

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

147.185.221.20:52831

Extracted

Family

quasar

Version

1.4.2

Botnet

Testing

C2

127.0.0.1:4782

Mutex

da53512e-6c73-406a-b1ee-fcfefff35b99

Attributes
  • encryption_key

    4B317113B678FE9A27AFEB228E60516202859C8D

  • install_name

    $77~HWllo.exe.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    $77~Update

  • subdirectory

    $77~TEMP

Targets

    • Target

      zvgfd-main/Are You Skibidy, The Quiz.bat

    • Size

      2B

    • MD5

      81051bcc2cf1bedf378224b0a93e2877

    • SHA1

      ba8ab5a0280b953aa97435ff8946cbcbb2755a27

    • SHA256

      7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

    • SHA512

      1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

    Score
    1/10
    behavioral1

    • Target

      zvgfd-main/Client-built.exe

    • Size

      6B

    • MD5

      8dc7536f5744d67a856ffcf8c8bedca6

    • SHA1

      cf8653876c1e6ad5406df4363e65b439e65de521

    • SHA256

      60958ccac3e5dfa6ae74aa4f8d6206fd33a5fc9546b8abaad65e3f1c4023c5bf

    • SHA512

      a7907ec7eccf6679c1d6716a5240aa0aa0d1db864051b1bfea87495e14479589bbfd001f51dae1635435b9353c228efcb90a424827bcdb44139abbaf3df558ef

    Score
    1/10
    behavioral2

    • Target

      zvgfd-main/Client.bat

    • Size

      1.6MB

    • MD5

      439120f796ed4977f594bea8bd82cf31

    • SHA1

      4584ec947309d2c0d3aa0b7af99a74e914649f1f

    • SHA256

      a2ef6988f4d2669de231d1857b5fb9b64d0069252db3c017498a065f2d1574cc

    • SHA512

      605f0958b42a350f9b4a01cfb47e17d6d095a4a299ad182c537016d5fb1e83c3860d4141cae74242644504aac6b3b5378e6c4551b1bba918bb793fe8e883a49b

    • SSDEEP

      24576:JlkfZfen9VM4J5pHntF5rAkcVYymcJQy+DFayCGw/+MjKOqfVZ8gl5fMR/wXR9D5:JwfenPM4jFX16Y0QXS/+MuOECE6dQ

    Score
    10/10
    quasartestingexecutionspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral3

    • Target

      zvgfd-main/Client_built.exe

    • Size

      6B

    • MD5

      8dc7536f5744d67a856ffcf8c8bedca6

    • SHA1

      cf8653876c1e6ad5406df4363e65b439e65de521

    • SHA256

      60958ccac3e5dfa6ae74aa4f8d6206fd33a5fc9546b8abaad65e3f1c4023c5bf

    • SHA512

      a7907ec7eccf6679c1d6716a5240aa0aa0d1db864051b1bfea87495e14479589bbfd001f51dae1635435b9353c228efcb90a424827bcdb44139abbaf3df558ef

    Score
    1/10
    behavioral4

    • Target

      zvgfd-main/Empyrean Removal Tool .com

    • Size

      495KB

    • MD5

      0858df720da731fb05cfa980134fa639

    • SHA1

      0e5e7bf34494892b20e2ed62cea218ada919361d

    • SHA256

      4af251cefa5fbdfb07cff0be7ba01cd6f525099949dac28b5780876a4942d810

    • SHA512

      c2f06ec22f57876b4ed168536bba76b7121962bb752d2a244eea3a37b68044837bf4263b5e3812a4ec1cf5b235653b3f389bbeefef89f609ae5af0eb1e847eb9

    • SSDEEP

      12288:r6iLGC/KU7T+q1/t5moY4MHJgOvK2xqTCzqkfuxHn:rDVyWT+Y/t0oY4MKiK20T8fux

    Score
    10/10
    quasarxwormslaveexecutionratspywaretrojan

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral5

    • Target

      zvgfd-main/Empyrean Removal Tool.com

    • Size

      495KB

    • MD5

      0858df720da731fb05cfa980134fa639

    • SHA1

      0e5e7bf34494892b20e2ed62cea218ada919361d

    • SHA256

      4af251cefa5fbdfb07cff0be7ba01cd6f525099949dac28b5780876a4942d810

    • SHA512

      c2f06ec22f57876b4ed168536bba76b7121962bb752d2a244eea3a37b68044837bf4263b5e3812a4ec1cf5b235653b3f389bbeefef89f609ae5af0eb1e847eb9

    • SSDEEP

      12288:r6iLGC/KU7T+q1/t5moY4MHJgOvK2xqTCzqkfuxHn:rDVyWT+Y/t0oY4MKiK20T8fux

    Score
    10/10
    asyncratquasarxwormdefaultslaveexecutionratspywaretrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral6

    • Target

      zvgfd-main/Empyrean Removal Tool.exe

    • Size

      633KB

    • MD5

      0079fab4268be36298a113b2979d70d7

    • SHA1

      804a7ace22a2785ac517b3c5325aea96d96231cf

    • SHA256

      33b4200a51c4ddd324dcfae8edb0a53a4bce3f1ad32ab882a0160af319f66900

    • SHA512

      cd8b523714a074fbd88fc726302b908c192c06f81ac4d1c46effa7fba162ff3289322d3a6f4764709914e081efde1d95a2358f80ea99817de98eade452462fb4

    • SSDEEP

      12288:2MH/IGvJlRawMnSG6BeogdLcuVipiKgn0leY8GbMyj8bExHwVaAWHjsXf:2MfI60wnG6YRdLbVipc0leY8GbMkj

    Score
    10/10
    asyncratquasarxwormdefaultslaveexecutionratspywaretrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral7

    • Target

      zvgfd-main/Fanta.Live.bat

    • Size

      470KB

    • MD5

      7d81002800c60fb2b26946fc534b8987

    • SHA1

      085d813ec8bf7f691d48a78011938b4a9f24b5e9

    • SHA256

      0a2bc7043be8903606338c714d20d132b877001c2789f368b30dae44aa80d888

    • SHA512

      b16f7ff8bb002954dd2cc6732a122c25b2b66a75bc26800f1b031014a67a5f5f494b7f2ef1457b5cc93cf4d3a6fe62db3c51812ea413f430bdde144a3b06aa8e

    • SSDEEP

      12288:GUMoYDGcH1BKxCob3At/nb5mdrKIegQ25Mf0/FhP:DUD9HHKlb3Qdm5KIA2p

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral8

    • Target

      zvgfd-main/Fanta.Live.exe

    • Size

      79KB

    • MD5

      a378eb40a60e9a4fb826d90b919dbc34

    • SHA1

      46921006940cda5096b30e0788a5c8e4bddb9137

    • SHA256

      356643a10605dba3e7497cb2cbc586951d99dcb95e9fa8a64b65a6fe4d874ef6

    • SHA512

      2a73b843c3f8c508ead9e8fb73a2f1231d0f0cdc6a483e48a403f891710b9c94e79fca9be499f857a0a7a8189b056464d0e1d37ddae22704951dab66ab719505

    • SSDEEP

      1536:ynOPvOn3Dxn2xpP+EnGlDRXxWO2jCt+htJ5bGr9VMKO/6IO27Ecdo9JfBFKn:yOPozl2xpsx+hxbGpqKOxOSEcdoTXKn

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral9

    • Target

      zvgfd-main/Fanta_Is_Better_Than_Coke.bat

    • Size

      5.9MB

    • MD5

      01132c50b0d844fab3b44bdb50be7445

    • SHA1

      c1212c8576c7794a2bbcf86f6a5bbd212fa23994

    • SHA256

      874cd778f30a84b531ed0811536dd64fdf3259db9509116f3eb3414127a4e0bf

    • SHA512

      96be33e08ca7a4b7331f96488182d999d94a57923d70d6af0acda64795e3c4fc5cab55b16661af48832b63ea38bf39a40dfe636f479709e0d4afb723ac3d9c31

    • SSDEEP

      49152:Lr/kKxpfsnuEUYseGcIvj6O1Za5YUdf5ZOPv+MqmT/7yK3EasULD+ER/RmR:L+

    Score
    10/10
    asyncratquasarxwormdefaultslaveexecutionpersistenceratspywaretrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral10

    • Target

      zvgfd-main/Frozen Loader V2.exe

    • Size

      35KB

    • MD5

      fe1520b26e792424cfbf8fd7564b4a55

    • SHA1

      da29f83984b250746f84906584481a0db9258b7c

    • SHA256

      f2ece46035c2c59af63a43525c218247686faf36a256bb77a6103910e306c598

    • SHA512

      10bb8a5a498ca268cf3d8f55cac252ec67ef6a608ed99a12d9eaff159a44700f09da47c0c06b9c15488c8e2dec2e9feb9fb8dd36152e9459ac5b151017d2b761

    • SSDEEP

      768:2DMfF7zLKYs2Byj5fuddqLi9Fk9wnO/h4/22N7:2kF7HKYs/1od9Fk9wnO/+u2J

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral11

    • Target

      zvgfd-main/Install.exe

    • Size

      164KB

    • MD5

      319a41dd1934848abc8a5df381540481

    • SHA1

      24ad88753d62ae5e38c3b6caba45bef5c70f7699

    • SHA256

      abde8270375bf984b9a8bf1c15ff77f9e33ad185c7305471e05feb80843ee5bc

    • SHA512

      929ca873880db0706ab3d76d98acd343dafab2145fafa3aa05c273b3cf451aac16d1ce71776a9e1fde7a794f172d60dc1536876193bd510de8a259c3f43211cf

    • SSDEEP

      3072:xQpsM8ulc/LGjoOYDqFPgdt3oJ4xbnaldp9pq1N1dIfnXSxmPRnSee9:xQpsMjlc/LGMAFet30Kbml41N1dINP4p

    Score
    10/10
    bootkitpersistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral12

    • Target

      zvgfd-main/OperaGXSetup.exe

    • Size

      5.7MB

    • MD5

      441310f56849af8b53ea48cc94ca3ddb

    • SHA1

      64fceb7e1097a27285cc843a4bffd10a42d95033

    • SHA256

      161d60e3b2cc2cd0248fea9a8869050095ee71ec7244734951b9af377cd765bf

    • SHA512

      2a9be6f43c5a6d5e77fecd1746942c8baf17aa0c22bf276ce9640ddb3899e1fbc58d67555f942946948487f1444edafff209c82d91894e37267f4fe2b596caf6

    • SSDEEP

      98304:m0NFy6666666666666666666666666666666x666666666666666fwwwwwwwwwwE:C75isWNadkX6dOoS0vyy9qldfA9b6JTz

    Score
    8/10
    spywarestealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral13

    • Target

      zvgfd-main/Output.exe

    • Size

      47KB

    • MD5

      dc8505be3e85a79e01c1ab4e019d9faf

    • SHA1

      a4e16fc8cd02e1e25ad0222def3963c26f929654

    • SHA256

      8fc144f1a30ed95661e07d477386a4f20e7f3412917512ea2e6797893ad46647

    • SHA512

      bc2ac03ec186e36bba22bbb6224f7fa664ca39df67aa2a132304a0bd2613f72e3bee4e1d65b48024e61b4ae86a2973de0cb1a84339ca47a2ba4b39e13021b876

    • SSDEEP

      768:AuPfZTg4pYiWUU9jjmo2qrLJj93DEsdjEn+WUFlVev0bsGExHCx6zLHijYQptDFQ:AuPfZTgKa2Sz3osdjEnBUFlVesbsGOSS

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat
    behavioral14

    • Target

      zvgfd-main/Part 1.bat

    • Size

      580KB

    • MD5

      8b844b2b29752a8a1c62efaa59dba4be

    • SHA1

      0c467148d558c4b7d6672d5b26a79af5f7fb96d4

    • SHA256

      ccb4ad561b87927edd97a02436014944c9147fe78934d2a26de73c7ee1704d0d

    • SHA512

      e086dfb88842e19c552ec00d989ae453743cabeddae93359cde6afc62354042d6ab366039e71819ad0a79319fb17ce98ec77bafb31f6183ba8a87cbb2c1df8a0

    • SSDEEP

      12288:dgOsRaPeA/fpkyocgcQwO57n+2HCZ/ySemGKDuE2wROnCFkw:dAcbBkBJwy+2HCESoZy

    Score
    10/10
    asyncratquasarxwormdefaultslaveexecutionpersistenceratspywaretrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral15

    • Target

      zvgfd-main/Part 2.bat

    • Size

      458KB

    • MD5

      4861212330864f9fbf4d99218142931f

    • SHA1

      f79387f84b44d0e8d4c0d741786e8c3823787400

    • SHA256

      70afa1ff655e3d4cf903fea8689e6f5e58a4875b3bb692a390605d98863e1a65

    • SHA512

      3ec603041a8db56e54fbd6c6a5a94671a1ff1824c0370f3caeba07efe2b6d89901171f1c9b3263699cf67ddfa613405e797b30ba556815e442d6be7f10afc877

    • SSDEEP

      12288:qaYh9getMjSzyH5WfgObCBt82QvUtZveh83FkfC:4S3jSO5Wf3TWtZCsh

    Score
    1/10
    behavioral16

    • Target

      zvgfd-main/Phantom.exe

    • Size

      764KB

    • MD5

      f9dbf286fc2655045699c429f76d708e

    • SHA1

      49ec367b5e8d4035a389469005f96cf717e18f17

    • SHA256

      f4d9d7d07cf500816361daad500873f5d17480ae0ba49f3348435478cf93d949

    • SHA512

      cff7af066fa10c93d1f3b7b460de720f8f64b73c7a0a6be999f2d73bcceb5368e1656492b925d25f0e69132ab263c6198279743db942037108453acbecce3275

    • SSDEEP

      12288:ydSxkJb4ZQivRFZKP0m4FdWaGNGGLUWl6JB+A6+rN6FAZXhqDnxlrug6JnGf:l2Jb4/U8mGWArwCZ6FPxk

    Score
    1/10
    behavioral17

    • Target

      zvgfd-main/PyMain Installer.exe

    • Size

      163KB

    • MD5

      1a7d1b5d24ba30c4d3d5502295ab5e89

    • SHA1

      2d5e69cf335605ba0a61f0bbecbea6fc06a42563

    • SHA256

      b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

    • SHA512

      859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

    • SSDEEP

      3072:TQpsSyjlzA664oL8tIoDJxGtIVORPrdAHjl3+uwF+iBDZ/wXxnTFKe8kaz:TQpsSyjlzfnoNGxGo6PrdAHwtMxn4e8N

    Score
    10/10

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral18

    • Target

      zvgfd-main/Server.exe

    • Size

      723KB

    • MD5

      0a7f6d5934c8ccc7dafd3e9ea31b3842

    • SHA1

      804807e34c17429296a835e4f4f99537e7f3d7f0

    • SHA256

      c4f054a8d630332a9d93d2447541aba2fb98ae09565ef4054bf5de94a0eb584d

    • SHA512

      214fbb4a96de286a4db5d2645a1f0559ea4eb29a9a915c9e18e14397205d95a0eadf437c87b9c3a7336606e7ab2cf934c5e1f808b0a5b1be6b58675385603e3d

    • SSDEEP

      12288:gaQgw7ORdYT46mb6rGERTwsKAHrY/fdTji4vSXo9ZRo9Q2AlFR9K:g1hORSE61GtZXRW4KXUEQ22zK

    Score
    10/10
    asyncratquasarxwormdefaultslaveexecutionratspywaretrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral19

    • Target

      zvgfd-main/Uni.bat

    • Size

      409KB

    • MD5

      63406415832d298e8419d037141b99a5

    • SHA1

      e8269627e0605dd626494dc50dbba8c7a5a19fa9

    • SHA256

      171e372c9879e2396f14cc0b1388c129a1c8c2d526f74cdd6c18822dfc8f3eae

    • SHA512

      6a4f7026cf6702b3c75a144deb8ea31ee65842eaefa9eb2a1c5254053654666b255105f01ad81dbee8268ee983c1e1ea0980f40a2f29e3e784fed87efc09366f

    • SSDEEP

      12288:VpbJjGuHOGpmeptoiwkZvaXlrWYveGTzse:LVau8ez0dpT/

    Score
    10/10
    quasarslavespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral20

    • Target

      zvgfd-main/Uni.exe

    • Size

      409KB

    • MD5

      9fa86a10b1b1f922b1c6d8dd29e5a7cd

    • SHA1

      d781a9aa91476b580560d74f7006078edfdc43e6

    • SHA256

      9dfb4ce1fd8968e9f6114fefedbcf8f606893f30bf5968c59dacba1793f1a3dd

    • SHA512

      89f845d808f280f237b62d10faf8f8767d20895e7efecc0c9162120a2d219f73e96ff64d95413ffb0f7722fd6215941c7529715a7778873eb180c4e41493f388

    • SSDEEP

      6144:+M+lpdRJjGq/lDhLKL4qHYPLvQCgwJx09cb9ifNcZFvl8fOSYTa7ix:spbJjGufLKL4OYOUvlcOSY0ix

    Score
    10/10
    quasarslavespywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral21

    • Target

      zvgfd-main/VIrus removal tool.exe

    • Size

      45KB

    • MD5

      b344b8f34ca3a4ac945c8fa4db093398

    • SHA1

      4386aaae50411757e7d637b3f5ca86ee6f888546

    • SHA256

      976e85307a34104c12c1f1f1949358b3091c2dd7fd9447d6ea58b1e9e4ad1db2

    • SHA512

      e4ab61d9fe07a2eae6e4a0c0b3723d2871fd857bd64927b4776ee44af2b85f73c95082b14c30a2379e0d306787bfa562d286b4abdce3acd65e7679811166e743

    • SSDEEP

      768:/J0rOYAa9+T4g+dCrJEcNcuqlVvD4xeVhKfkvLbFEPa9pvK6iOCh4zjif4B:/cXAaPoJRaFlZrOM/FJ9NK6iOC2egB

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral22

    • Target

      zvgfd-main/Virus removal tool.exe

    • Size

      75KB

    • MD5

      4a278897dd4705dbf767fe27b1b17b18

    • SHA1

      afd91c06a4f24fb53899a114b63269e0b3ab970a

    • SHA256

      09d25b747f3fb7e4f2c19c50e39a8c18b1b6f01d27023e8a955f45902ded41e0

    • SHA512

      b93d6353f6cb77829a5ec111a30c2dab62ba58b1550cf624ea1f58f301fab3ae8ca4423181d5b43abcf6f9fd085c35bfa6f43b4f92e82bc80910682a1c58ebbd

    • SSDEEP

      1536:DvX+OcT29HvHHhfaAbuY1x6f7O2DTYdhmdS1EAd8IIV:7XK69JjbufO2v8ygEA6IIV

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral23

    • Target

      zvgfd-main/XClient.exe

    • Size

      44KB

    • MD5

      d1b7f8c52ec77b5216e9d9481af3dfe6

    • SHA1

      6c80d55a0b7b752522b97fdd4f295a034cb6f22c

    • SHA256

      89a91963ffa6c8f651d919a026631fcc6bba96bb82d04d7721d6e3b8535d6532

    • SHA512

      c776a5c6206593f6dc65d0f8aada968067a2d2551e38d4ae39521cf98f685ef3bbb6282859024865cb6b135740b397b363d90631ad514a3448579d28d98a19b4

    • SSDEEP

      768:pMDF7zLXoeUHyLp0uddqLi9Fk9wIAO/hM/22ods4S1EAd8IIR:SF73XoeUS95d9Fk9wnO/uu2odS1EAd8R

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral24

    • Target

      zvgfd-main/XClientTest.exe

    • Size

      44KB

    • MD5

      edb93988566d2b63e675910a1d9e985e

    • SHA1

      3b9fa4e6511caf873772f5405eb00022f2082b92

    • SHA256

      d479daa5ecdcdd724de700960115604b060aadd7bb9aa5ad797c9c57324dec57

    • SHA512

      faa51151ee58e18e422dc684364d44976931651da8afcc1c0a69782b1a8e13ed2007e717709fa55c0c2efcaadf0d2647ad6dfe3a6f78223d0d834a2f8e7cd26d

    • SSDEEP

      768:mDMfF7zLKYs2Byj54uddqLi9Fk9wbO/hm/22USds4S1EAd8IIv:mkF7HKYs/1dd9Fk9wbO/Iu2USdS1EAdI

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral25

    • Target

      zvgfd-main/asjdfg.exe

    • Size

      63KB

    • MD5

      a74bccdc0abb0d77b4b7af3a31827e17

    • SHA1

      ed08f899146994d3e303b193a6a73b1810e4b842

    • SHA256

      f3ff97453bf728c77ee76a946a11ab93b1c79a4f742d71fb3c2315e86007355c

    • SHA512

      7c79c5b0c52a75db296c23db6c066da28b57f8b8749cc895af1252d9294c26fedb37404ac8f62c8ed3b0cc6e12458c6612bb6e4f78276f3fb118e7459d1c6e90

    • SSDEEP

      1536:0YmHssdSJYUbdh98ArnX35kHqu8dpqKmY7:0YVsYYUbdAAjDGz

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral26

    • Target

      zvgfd-main/libcrypto-3.dll

    • Size

      3.9MB

    • MD5

      27c8a62563e3f34f3466d3cbf4b8fe74

    • SHA1

      23a2585b4afa8e77d365fb1bcf8c96d7273b9742

    • SHA256

      3927d87e03ad83e22a40fdcb680707a28eb04314af51f228130d8396dabb3de4

    • SHA512

      c24f2725a05b209895e4de7b548fc7782d5695bcadc6b79a742c9860efa4691f4cb0b997bb1035b379c64de9d5476e6425e1e76e0b6d73faee635e7fc87207d1

    • SSDEEP

      49152:isLkNoGACh3LyT2CmS/qI9a9NPLZExveczlh+7lk1CPwDvt3uFADCNOnuyWIk72y:KNoGWK5S/q7HDCh+Zk1CPwDvt3uFADCH

    Score
    3/10
    behavioral27

    • Target

      zvgfd-main/libssh2.dll

    • Size

      203KB

    • MD5

      7df1365a2e0b9009ea133314e2ecf6cc

    • SHA1

      2ab90223e54d34458c1f19dec190cd839a966da9

    • SHA256

      a74ef9d16c70d74e82eb5a42126dc0a2f6af5dc6002f5226cfe736db3da9994e

    • SHA512

      f092de168f888e657d851d1826906bfa7895f9878a964f72312a7a1c7adf0f2930dc460935893ca8d2f77f56e53d32ab6a8bf2caed42a2b90a798b7259e92440

    • SSDEEP

      6144:/VUeSaXnc4lcuWAd+F6febPf9WqBqNb5AWZGRQ:We9Xnc4iAd+F0eL9BIFX

    Score
    3/10
    behavioral28

    • Target

      zvgfd-main/libssl-3.dll

    • Size

      661KB

    • MD5

      24f02f8bd55813c87a4952e60e87edf1

    • SHA1

      c19834e2d64dd44d84d58c73d88b454fd6ccb385

    • SHA256

      70b3b431d10ca9dea42b5b5aca85a97c39c91e0e2e3b5763514c1608a5f980b3

    • SHA512

      04922a3a80d551cfada9fcb765966eeca0741bfff3469a551d538580b64a70d8f1a6a94abada3762a79cd6fd2222eb38c9e491a74fc19937bbd8ab309770f7ad

    • SSDEEP

      12288:xJtxLelXQVWwwdrQxxNa4t98FH9UHlSMYtfJ6u2GfeCchyV:xDxL46Gr+0tfJ6u2GfeCchyV

    Score
    1/10
    behavioral29

    • Target

      zvgfd-main/main.exe

    • Size

      17.8MB

    • MD5

      d326fd384736db6bf49ed4bc74cd588d

    • SHA1

      cb81aca5d091305f65d1efb8aa298bf3befbd082

    • SHA256

      41338ccee9d5b7dcda6b57ec5d4fe840bae5d8bdff2bf172935f62e2c61fddf6

    • SHA512

      e6694c727b85517f279439ed551b5dc8ad9d1be8fd8e5ecf09a81188de617beceaec3e6eb4bed356212dc2c5483272902448a1c137cafdfeb45fe3cca3c0314b

    • SSDEEP

      393216:cqPnLFXlrPmQ8DOETgsvfG+gUj9vEujik4GZq:NPLFXNOQhElXjSzkK

    Score
    7/10
    persistenceprivilege_escalationspywarestealerupx

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral30

    • Target

      zvgfd-main/ncat.exe

    • Size

      355KB

    • MD5

      4f6b1c5a41f7e9d183a7dd3ace65812e

    • SHA1

      c08a5e5c59f39522939284ee8743ff55967da76a

    • SHA256

      a3071223a56a18c9fb913696487f69d1ea2633176412446d4b7eecc82d33c262

    • SHA512

      25c7a3f16b001144cc8fdc5c9014cdfe33352bd76c116c3e1b7e3238668ae0b284fc641b96aee92d07dc9a25fa9b016e441db96c07f2426e09b0ec9b8d2443cf

    • SSDEEP

      6144:ptY7W0+Pb/+japAtAGZ8+cQm+hSD5I55HinqrphrBEU3VEBIPZ/5owu8zsX4ROVq:ptF00/+japAtAGq+RSFO4n4NBEU3V7PJ

    Score
    1/10
    behavioral31

    • Target

      zvgfd-main/payload.exe

    • Size

      72KB

    • MD5

      51bf2daccda8948abfca10170537c9a5

    • SHA1

      eeac664143771a028eb3c2dd5229992915736c57

    • SHA256

      df5821201839f791435a04bffd5c3ced8c8784304dcf40fd4dee10500bdf6657

    • SHA512

      d0644f155ea34fd7b34368b9255347b717a8694db3b1fc004acf429f52e41a3039dd5111709ddde86cd8d74e7cd655f49b01ff9e8bdc90011976082df7e2f74f

    • SSDEEP

      1536:IQGNVKEmV4/jQGi4R6OkbTjdAFBF1AMRMb+KR0Nc8QsJq39:gfF2s16TeFn1be0Nc8QsC9

    Score
    10/10
    metasploitbackdoortrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit
    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

4
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

7
T1012

System Information Discovery

7
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

slaveratdefaultquasarpyinstallerxwormquasarasyncratempyreanagentteslametasploit
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

quasartestingexecutionspywaretrojan
Score
10/10

behavioral4

Score
1/10

behavioral5

quasarxwormslaveexecutionratspywaretrojan
Score
10/10

behavioral6

asyncratquasarxwormdefaultslaveexecutionratspywaretrojan
Score
10/10

behavioral7

asyncratquasarxwormdefaultslaveexecutionratspywaretrojan
Score
10/10

behavioral8

xwormexecutionpersistencerattrojan
Score
10/10

behavioral9

xwormexecutionrattrojan
Score
10/10

behavioral10

asyncratquasarxwormdefaultslaveexecutionpersistenceratspywaretrojan
Score
10/10

behavioral11

xwormpersistencerattrojan
Score
10/10

behavioral12

bootkitpersistence
Score
10/10

behavioral13

spywarestealer
Score
8/10

behavioral14

asyncratdefaultrat
Score
10/10

behavioral15

asyncratquasarxwormdefaultslaveexecutionpersistenceratspywaretrojan
Score
10/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
10/10

behavioral19

asyncratquasarxwormdefaultslaveexecutionratspywaretrojan
Score
10/10

behavioral20

quasarslavespywaretrojan
Score
10/10

behavioral21

quasarslavespywaretrojan
Score
10/10

behavioral22

xwormexecutionpersistencerattrojan
Score
10/10

behavioral23

xwormexecutionpersistencerattrojan
Score
10/10

behavioral24

xwormpersistencerattrojan
Score
10/10

behavioral25

xwormpersistencerattrojan
Score
10/10

behavioral26

asyncratdefaultrat
Score
10/10

behavioral27

Score
3/10

behavioral28

Score
3/10

behavioral29

Score
1/10

behavioral30

persistenceprivilege_escalationspywarestealerupx
Score
7/10

behavioral31

Score
1/10

behavioral32

metasploitbackdoortrojan
Score
10/10