Resubmissions
05-05-2024 02:01
240505-cfwftaed23 1003-03-2024 18:34
240303-w76kmseh68 1003-03-2024 18:33
240303-w7jqwaeb8v 1003-03-2024 18:30
240303-w5g49seg83 10Analysis
-
max time kernel
141s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
05-05-2024 02:01
General
-
Target
2fa8c24b42f6542a290d85a9a3723e2a.exe
-
Size
328KB
-
MD5
2fa8c24b42f6542a290d85a9a3723e2a
-
SHA1
d7a518d0d6eae7732a59c6a7c397f0777d111255
-
SHA256
1f64bc9469a33c77561e22beea18d9bbdd343dae89bc6f02bc85e24873d93f4e
-
SHA512
764731d7ac9329083fc3a3db505b12c0a0f63ef3de3f07db80ebaab237a698b980961daaaa6b14b49ea63f93d5a848e81de6a50898c36f8609109c3ef70dc6db
-
SSDEEP
6144:3eY+jinF8jE9sKKegRcd2cS8ADT+5amtQuicddRp:fJf5vr9AuYOp
Malware Config
Signatures
-
Detect Xehook Payload 1 IoCs
-
Detect ZGRat V1 1 IoCs
-
Xehook stealer
Xehook is an infostealer written in C#.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fa8c24b42f6542a290d85a9a3723e2a.exe"C:\Users\Admin\AppData\Local\Temp\2fa8c24b42f6542a290d85a9a3723e2a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 15523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3312 -ip 33121⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3312-5-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3312-8-0x0000000004C30000-0x0000000004C4A000-memory.dmpFilesize
104KB
-
memory/3312-11-0x0000000074C60000-0x0000000075410000-memory.dmpFilesize
7.7MB
-
memory/3312-12-0x0000000005340000-0x00000000058E4000-memory.dmpFilesize
5.6MB
-
memory/3312-13-0x0000000005DF0000-0x0000000005E82000-memory.dmpFilesize
584KB
-
memory/3312-14-0x0000000006110000-0x0000000006176000-memory.dmpFilesize
408KB
-
memory/3312-16-0x0000000074C60000-0x0000000075410000-memory.dmpFilesize
7.7MB
-
memory/4012-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmpFilesize
4KB
-
memory/4012-1-0x0000000000E10000-0x0000000000E64000-memory.dmpFilesize
336KB
-
memory/4012-2-0x0000000074C60000-0x0000000075410000-memory.dmpFilesize
7.7MB
-
memory/4012-9-0x0000000074C60000-0x0000000075410000-memory.dmpFilesize
7.7MB
-
memory/4012-10-0x0000000074C60000-0x0000000075410000-memory.dmpFilesize
7.7MB