Overview

overview

10

Static

static

10

zvgfd-main...iz.bat

windows7-x64

1

zvgfd-main...iz.bat

windows10-2004-x64

1

zvgfd-main...lt.exe

windows7-x64

zvgfd-main...lt.exe

windows10-2004-x64

zvgfd-main/Client.bat

windows7-x64

8

zvgfd-main/Client.bat

windows10-2004-x64

10

zvgfd-main...lt.exe

windows7-x64

zvgfd-main...lt.exe

windows10-2004-x64

zvgfd-main... .exe

windows7-x64

10

zvgfd-main... .exe

windows10-2004-x64

10

zvgfd-main...ol.exe

windows7-x64

10

zvgfd-main...ol.exe

windows10-2004-x64

10

zvgfd-main...ol.exe

windows7-x64

10

zvgfd-main...ol.exe

windows10-2004-x64

10

Exculsion/...dec.js

windows7-x64

3

Exculsion/...dec.js

windows10-2004-x64

3

zvgfd-main...ve.bat

windows7-x64

8

zvgfd-main...ve.bat

windows10-2004-x64

10

zvgfd-main...ve.exe

windows7-x64

10

zvgfd-main...ve.exe

windows10-2004-x64

10

zvgfd-main...V2.exe

windows7-x64

10

zvgfd-main...V2.exe

windows10-2004-x64

10

zvgfd-main...ll.exe

windows7-x64

5

zvgfd-main...ll.exe

windows10-2004-x64

zvgfd-main...up.exe

windows10-2004-x64

8

zvgfd-main/Output.exe

windows7-x64

3

zvgfd-main/Output.exe

windows10-2004-x64

10

zvgfd-main/Part 1.bat

windows7-x64

8

zvgfd-main/Part 1.bat

windows10-2004-x64

10

zvgfd-main...om.exe

windows7-x64

1

zvgfd-main...om.exe

windows10-2004-x64

1

zvgfd-main...er.exe

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    zvgfd-main[1].zip

  • Size

    158.4MB

  • Sample

    240701-w4j78swgkp

  • MD5

    f91845cc994db39f3d7f03120d4ea559

  • SHA1

    c0794a348fe3a0bcd4959e72efa3d65f5ea4fdf7

  • SHA256

    1731919d2dc81ad27833aaaf162c923c8c0e9ec12f0517c7db0409b74e9550c6

  • SHA512

    b59220b6b46911e18fe6ba4d79222180f0304b49514f1c8b082cc7c97ee4448877802bcf2ad92b6a055a4934fdc7aa5216415fb93b1ce57639346306fb1d0bc4

  • SSDEEP

    3145728:J6D7EaSGaatayXVt7KXSSxIolOUgjFU6Kh17iNgWQW6NWT20nPM9:J6D7EOaA7XSxIolfgC7iSWQrWDg

Score
10/10
agentteslaasyncratempyreanquasarxwormdefaultquasarslavetestingdefense_evasionevasionexecutionpersistencepyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

super-nearest.gl.at.ply.gg:17835

best-bird.gl.at.ply.gg:27196

75.24.104.157:4782

wiz.bounceme.net:6000
Attributes
  • Install_directory

    %ProgramData%

aes.plain

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

stop-largely.gl.at.ply.gg:27116

75.24.104.157:4480

127.0.0.1:4480

192.168.1.120:4480
Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes
  • encryption_key

    WyBm1iVkHZmEnGPMAZWV

  • install_name

    $phantom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    $phantomSTARTUP~MSF

  • subdirectory

    $phantom

Extracted

Family

asyncrat

Botnet

Default

C2

finally-grande.gl.at.ply.gg:25844

75.24.104.157:3232
Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain
aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

147.185.221.205:52809

Mutex

FANTA~69

Attributes
  • delay

    1

  • install

    false

  • install_file

    Update.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Quasar

C2

127.0.0.1:4480

192.168.1.124:4480

192.168.1.66:4480

75.24.104.157:4480
Mutex

aa808c2e-3fed-4497-9777-f969d0c4099f

Attributes
  • encryption_key

    39F4DDA965B4B8B90B952D0DFCE58CAD3F94ED0F

  • install_name

    $-Online-WRE.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    $-Recov-Sys

Extracted

Family

quasar

Attributes
  • reconnect_delay

    5000

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:4782

192.168.1.66:4782

75.24.104.157:4782

192.168.1.120:4782

75.24.104.157:7000
Mutex

56wFqcXlNlL4av7L

Attributes
  • Install_directory

    %Public%

  • install_file

    $77-Update.exe

aes.plain
aes.plain
aes.plain
aes.plain

Extracted

Family

quasar

Version

1.4.2

Botnet

Testing

C2

127.0.0.1:4782

Mutex

da53512e-6c73-406a-b1ee-fcfefff35b99

Attributes
  • encryption_key

    4B317113B678FE9A27AFEB228E60516202859C8D

  • install_name

    $77~HWllo.exe.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    $77~Update

  • subdirectory

    $77~TEMP

Targets

    • Target

      zvgfd-main/Are You Skibidy, The Quiz.bat

    • Size

      2B

    • MD5

      81051bcc2cf1bedf378224b0a93e2877

    • SHA1

      ba8ab5a0280b953aa97435ff8946cbcbb2755a27

    • SHA256

      7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

    • SHA512

      1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

    Score
    1/10
    behavioral1behavioral2

    • Target

      zvgfd-main/Client-built.exe

    • Size

      6B

    • MD5

      8dc7536f5744d67a856ffcf8c8bedca6

    • SHA1

      cf8653876c1e6ad5406df4363e65b439e65de521

    • SHA256

      60958ccac3e5dfa6ae74aa4f8d6206fd33a5fc9546b8abaad65e3f1c4023c5bf

    • SHA512

      a7907ec7eccf6679c1d6716a5240aa0aa0d1db864051b1bfea87495e14479589bbfd001f51dae1635435b9353c228efcb90a424827bcdb44139abbaf3df558ef

    Score
    1/10
    behavioral3behavioral4

    • Target

      zvgfd-main/Client.bat

    • Size

      1.6MB

    • MD5

      439120f796ed4977f594bea8bd82cf31

    • SHA1

      4584ec947309d2c0d3aa0b7af99a74e914649f1f

    • SHA256

      a2ef6988f4d2669de231d1857b5fb9b64d0069252db3c017498a065f2d1574cc

    • SHA512

      605f0958b42a350f9b4a01cfb47e17d6d095a4a299ad182c537016d5fb1e83c3860d4141cae74242644504aac6b3b5378e6c4551b1bba918bb793fe8e883a49b

    • SSDEEP

      24576:JlkfZfen9VM4J5pHntF5rAkcVYymcJQy+DFayCGw/+MjKOqfVZ8gl5fMR/wXR9D5:JwfenPM4jFX16Y0QXS/+MuOECE6dQ

    Score
    10/10
    executionquasartestingspywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral5behavioral6

    • Target

      zvgfd-main/Client_built.exe

    • Size

      6B

    • MD5

      8dc7536f5744d67a856ffcf8c8bedca6

    • SHA1

      cf8653876c1e6ad5406df4363e65b439e65de521

    • SHA256

      60958ccac3e5dfa6ae74aa4f8d6206fd33a5fc9546b8abaad65e3f1c4023c5bf

    • SHA512

      a7907ec7eccf6679c1d6716a5240aa0aa0d1db864051b1bfea87495e14479589bbfd001f51dae1635435b9353c228efcb90a424827bcdb44139abbaf3df558ef

    Score
    1/10
    behavioral7behavioral8

    • Target

      zvgfd-main/Empyrean Removal Tool .com

    • Size

      495KB

    • MD5

      0858df720da731fb05cfa980134fa639

    • SHA1

      0e5e7bf34494892b20e2ed62cea218ada919361d

    • SHA256

      4af251cefa5fbdfb07cff0be7ba01cd6f525099949dac28b5780876a4942d810

    • SHA512

      c2f06ec22f57876b4ed168536bba76b7121962bb752d2a244eea3a37b68044837bf4263b5e3812a4ec1cf5b235653b3f389bbeefef89f609ae5af0eb1e847eb9

    • SSDEEP

      12288:r6iLGC/KU7T+q1/t5moY4MHJgOvK2xqTCzqkfuxHn:rDVyWT+Y/t0oY4MKiK20T8fux

    Score
    10/10
    quasarxwormslaveexecutionratspywaretrojan

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral10behavioral9

    • Target

      zvgfd-main/Empyrean Removal Tool.com

    • Size

      495KB

    • MD5

      0858df720da731fb05cfa980134fa639

    • SHA1

      0e5e7bf34494892b20e2ed62cea218ada919361d

    • SHA256

      4af251cefa5fbdfb07cff0be7ba01cd6f525099949dac28b5780876a4942d810

    • SHA512

      c2f06ec22f57876b4ed168536bba76b7121962bb752d2a244eea3a37b68044837bf4263b5e3812a4ec1cf5b235653b3f389bbeefef89f609ae5af0eb1e847eb9

    • SSDEEP

      12288:r6iLGC/KU7T+q1/t5moY4MHJgOvK2xqTCzqkfuxHn:rDVyWT+Y/t0oY4MKiK20T8fux

    Score
    10/10
    asyncratquasarxwormdefaultslaveexecutionratspywaretrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral11behavioral12

    • Target

      zvgfd-main/Empyrean Removal Tool.exe

    • Size

      633KB

    • MD5

      0079fab4268be36298a113b2979d70d7

    • SHA1

      804a7ace22a2785ac517b3c5325aea96d96231cf

    • SHA256

      33b4200a51c4ddd324dcfae8edb0a53a4bce3f1ad32ab882a0160af319f66900

    • SHA512

      cd8b523714a074fbd88fc726302b908c192c06f81ac4d1c46effa7fba162ff3289322d3a6f4764709914e081efde1d95a2358f80ea99817de98eade452462fb4

    • SSDEEP

      12288:2MH/IGvJlRawMnSG6BeogdLcuVipiKgn0leY8GbMyj8bExHwVaAWHjsXf:2MfI60wnG6YRdLbVipc0leY8GbMkj

    Score
    10/10
    asyncratquasarxwormdefaultslaveexecutionratspywaretrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral13behavioral14

    • Target

      Exculsion/Source/Remote-Access-Tools/Quasar/Quasar.Common/Video/Codecs/UnsafeStreamCodec.cs

    • Size

      13KB

    • MD5

      f6f684886d32fa76b92a8878c277f2c9

    • SHA1

      ec22305cb7fa862a94feec0eda0d2fcd3281da5d

    • SHA256

      8f9c56ec4fd84ababe9836290eea85e8ccb39c0e0ac3929c39b1279a709bc2f4

    • SHA512

      5fc43e219dd343fa01af7039a93381ff4b6bd529ae4aed9f581f36cae6099fb986d37b24304da9135ee18055d164f29d3fb3575679bf7bda3027127a6f78e6c5

    • SSDEEP

      384:e2rfFMJVNh984CrEIYW5xjhVdA0PYuhuh3hRkyhOtzeh+:d0CrEg5xjhV6eEZfkyQVek

    Score
    3/10
    execution
    behavioral15behavioral16

    • Target

      zvgfd-main/Fanta.Live.bat

    • Size

      470KB

    • MD5

      7d81002800c60fb2b26946fc534b8987

    • SHA1

      085d813ec8bf7f691d48a78011938b4a9f24b5e9

    • SHA256

      0a2bc7043be8903606338c714d20d132b877001c2789f368b30dae44aa80d888

    • SHA512

      b16f7ff8bb002954dd2cc6732a122c25b2b66a75bc26800f1b031014a67a5f5f494b7f2ef1457b5cc93cf4d3a6fe62db3c51812ea413f430bdde144a3b06aa8e

    • SSDEEP

      12288:GUMoYDGcH1BKxCob3At/nb5mdrKIegQ25Mf0/FhP:DUD9HHKlb3Qdm5KIA2p

    Score
    10/10
    executionxwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral17behavioral18

    • Target

      zvgfd-main/Fanta.Live.exe

    • Size

      79KB

    • MD5

      a378eb40a60e9a4fb826d90b919dbc34

    • SHA1

      46921006940cda5096b30e0788a5c8e4bddb9137

    • SHA256

      356643a10605dba3e7497cb2cbc586951d99dcb95e9fa8a64b65a6fe4d874ef6

    • SHA512

      2a73b843c3f8c508ead9e8fb73a2f1231d0f0cdc6a483e48a403f891710b9c94e79fca9be499f857a0a7a8189b056464d0e1d37ddae22704951dab66ab719505

    • SSDEEP

      1536:ynOPvOn3Dxn2xpP+EnGlDRXxWO2jCt+htJ5bGr9VMKO/6IO27Ecdo9JfBFKn:yOPozl2xpsx+hxbGpqKOxOSEcdoTXKn

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral19behavioral20

    • Target

      zvgfd-main/Frozen Loader V2.exe

    • Size

      35KB

    • MD5

      fe1520b26e792424cfbf8fd7564b4a55

    • SHA1

      da29f83984b250746f84906584481a0db9258b7c

    • SHA256

      f2ece46035c2c59af63a43525c218247686faf36a256bb77a6103910e306c598

    • SHA512

      10bb8a5a498ca268cf3d8f55cac252ec67ef6a608ed99a12d9eaff159a44700f09da47c0c06b9c15488c8e2dec2e9feb9fb8dd36152e9459ac5b151017d2b761

    • SSDEEP

      768:2DMfF7zLKYs2Byj5fuddqLi9Fk9wnO/h4/22N7:2kF7HKYs/1od9Fk9wnO/+u2J

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral21behavioral22

    • Target

      zvgfd-main/Install.exe

    • Size

      164KB

    • MD5

      319a41dd1934848abc8a5df381540481

    • SHA1

      24ad88753d62ae5e38c3b6caba45bef5c70f7699

    • SHA256

      abde8270375bf984b9a8bf1c15ff77f9e33ad185c7305471e05feb80843ee5bc

    • SHA512

      929ca873880db0706ab3d76d98acd343dafab2145fafa3aa05c273b3cf451aac16d1ce71776a9e1fde7a794f172d60dc1536876193bd510de8a259c3f43211cf

    • SSDEEP

      3072:xQpsM8ulc/LGjoOYDqFPgdt3oJ4xbnaldp9pq1N1dIfnXSxmPRnSee9:xQpsMjlc/LGMAFet30Kbml41N1dINP4p

    Score
    10/10

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral23behavioral24

    • Target

      zvgfd-main/OperaGXSetup.exe

    • Size

      5.7MB

    • MD5

      441310f56849af8b53ea48cc94ca3ddb

    • SHA1

      64fceb7e1097a27285cc843a4bffd10a42d95033

    • SHA256

      161d60e3b2cc2cd0248fea9a8869050095ee71ec7244734951b9af377cd765bf

    • SHA512

      2a9be6f43c5a6d5e77fecd1746942c8baf17aa0c22bf276ce9640ddb3899e1fbc58d67555f942946948487f1444edafff209c82d91894e37267f4fe2b596caf6

    • SSDEEP

      98304:m0NFy6666666666666666666666666666666x666666666666666fwwwwwwwwwwE:C75isWNadkX6dOoS0vyy9qldfA9b6JTz

    Score
    8/10
    spywarestealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral25

    • Target

      zvgfd-main/Output.exe

    • Size

      15KB

    • MD5

      ebe778bb7f785aafdabde3dc83ff3d32

    • SHA1

      cddb3c522dc1193eec1a2f8f2bdaba4e11122632

    • SHA256

      cad85a4084b9e95b65dc2bcf70a1417c94ef700ee83b52c12444115d08cea0b7

    • SHA512

      cbd3ffc44124da5a7e2de6141c96ce68d731655bc8a0406892815c9edbe4469c211e7abaa868abd0578147d69ecace36e0d97e490e51b15a158919eb4a91855a

    • SSDEEP

      384:gY2c0yTTyDsTawMGGbb0Br8XDnKrH9DzLXl:h2cre2rHFL1

    Score
    10/10
    xwormdefense_evasionexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral26behavioral27

    • Target

      zvgfd-main/Part 1.bat

    • Size

      580KB

    • MD5

      8b844b2b29752a8a1c62efaa59dba4be

    • SHA1

      0c467148d558c4b7d6672d5b26a79af5f7fb96d4

    • SHA256

      ccb4ad561b87927edd97a02436014944c9147fe78934d2a26de73c7ee1704d0d

    • SHA512

      e086dfb88842e19c552ec00d989ae453743cabeddae93359cde6afc62354042d6ab366039e71819ad0a79319fb17ce98ec77bafb31f6183ba8a87cbb2c1df8a0

    • SSDEEP

      12288:dgOsRaPeA/fpkyocgcQwO57n+2HCZ/ySemGKDuE2wROnCFkw:dAcbBkBJwy+2HCESoZy

    Score
    10/10
    executionasyncratquasarxwormdefaultslavepersistenceratspywaretrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral28behavioral29

    • Target

      zvgfd-main/Phantom.exe

    • Size

      764KB

    • MD5

      f9dbf286fc2655045699c429f76d708e

    • SHA1

      49ec367b5e8d4035a389469005f96cf717e18f17

    • SHA256

      f4d9d7d07cf500816361daad500873f5d17480ae0ba49f3348435478cf93d949

    • SHA512

      cff7af066fa10c93d1f3b7b460de720f8f64b73c7a0a6be999f2d73bcceb5368e1656492b925d25f0e69132ab263c6198279743db942037108453acbecce3275

    • SSDEEP

      12288:ydSxkJb4ZQivRFZKP0m4FdWaGNGGLUWl6JB+A6+rN6FAZXhqDnxlrug6JnGf:l2Jb4/U8mGWArwCZ6FPxk

    Score
    1/10
    behavioral30behavioral31

    • Target

      zvgfd-main/PyMain Installer.exe

    • Size

      163KB

    • MD5

      1a7d1b5d24ba30c4d3d5502295ab5e89

    • SHA1

      2d5e69cf335605ba0a61f0bbecbea6fc06a42563

    • SHA256

      b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

    • SHA512

      859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

    • SSDEEP

      3072:TQpsSyjlzA664oL8tIoDJxGtIVORPrdAHjl3+uwF+iBDZ/wXxnTFKe8kaz:TQpsSyjlzfnoNGxGo6PrdAHwtMxn4e8N

    Score
    10/10
    evasion

    • Modifies security service

      evasion

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

9
T1059

PowerShell

8
T1059.001

JavaScript

1
T1059.007

Scheduled Task/Job

7
T1053

Scheduled Task

7
T1053.005

Persistence

Scheduled Task/Job

7
T1053

Scheduled Task

7
T1053.005

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

4
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Scheduled Task/Job

7
T1053

Scheduled Task

7
T1053.005

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

4
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Subvert Trust Controls

3
T1553

Install Root Certificate

3
T1553.004

Modify Registry

8
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

14
T1012

System Information Discovery

18
T1082

Remote System Discovery

1
T1018

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks

static1

slaveratdefaultquasarpyinstallerxwormquasarasyncratempyreanagenttesla
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

execution
Score
8/10

behavioral6

quasartestingexecutionspywaretrojan
Score
10/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

quasarxwormslaveexecutionratspywaretrojan
Score
10/10

behavioral10

quasarxwormslaveexecutionratspywaretrojan
Score
10/10

behavioral11

asyncratquasarxwormdefaultslaveexecutionratspywaretrojan
Score
10/10

behavioral12

asyncratquasarxwormdefaultslaveexecutionratspywaretrojan
Score
10/10

behavioral13

asyncratquasarxwormdefaultslaveexecutionratspywaretrojan
Score
10/10

behavioral14

asyncratquasarxwormdefaultslaveexecutionratspywaretrojan
Score
10/10

behavioral15

execution
Score
3/10

behavioral16

execution
Score
3/10

behavioral17

execution
Score
8/10

behavioral18

xwormexecutionpersistencerattrojan
Score
10/10

behavioral19

xwormexecutionrattrojan
Score
10/10

behavioral20

xwormexecutionrattrojan
Score
10/10

behavioral21

xwormpersistencerattrojan
Score
10/10

behavioral22

xwormpersistencerattrojan
Score
10/10

behavioral23

Score
5/10

behavioral24

Score
10/10

behavioral25

spywarestealer
Score
8/10

behavioral26

Score
3/10

behavioral27

xwormdefense_evasionexecutionpersistencerattrojan
Score
10/10

behavioral28

execution
Score
8/10

behavioral29

asyncratquasarxwormdefaultslaveexecutionpersistenceratspywaretrojan
Score
10/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

evasion
Score
10/10