Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
General
-
Target
tmp
-
Size
4.3MB
-
MD5
dc101ebccce8a5d7f83b4b6ae5d49178
-
SHA1
0e049dce0518d7f45077202de084610e51bc0ace
-
SHA256
458278fff0ef4dc89dbb774d8ef79bbd91e6390182e1dee60a534583f425b11b
-
SHA512
29749129569b804d12b4af4a2de8b3d8be104c915ac1061ce8cd8c9e33856f3e40ccc5fa121324aa5b70ce7582def95adf4c1e1a2177894ddbe10341a09b39b7
-
SSDEEP
98304:k1CxiKNDAMrWXrm+G/Mul2rq/aReDkizMeQUD1:+CxiLOUr6/Mul2rVe4iwVUD1
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule sample family_zgrat_v1 -
Zgrat family
-
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule sample net_reactor -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource tmp
Files
-
tmp.exe windows:4 windows x64 arch:x64
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
Sections
.text Size: 4.1MB - Virtual size: 4.1MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 119KB - Virtual size: 118KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ