zgrat | tmp | Triage

Resubmissions

02-02-2024 11:51

240202-n1a66adbc3 10

Sharing

General

Target

tmp
Size

4.3MB
MD5

dc101ebccce8a5d7f83b4b6ae5d49178
SHA1

0e049dce0518d7f45077202de084610e51bc0ace
SHA256

458278fff0ef4dc89dbb774d8ef79bbd91e6390182e1dee60a534583f425b11b
SHA512

29749129569b804d12b4af4a2de8b3d8be104c915ac1061ce8cd8c9e33856f3e40ccc5fa121324aa5b70ce7582def95adf4c1e1a2177894ddbe10341a09b39b7
SSDEEP

98304:k1CxiKNDAMrWXrm+G/Mul2rq/aReDkizMeQUD1:+CxiLOUr6/Mul2rVe4iwVUD1

Score

10^/10

zgrat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource yara_rule

sample family_zgrat_v1
Zgrat family
zgrat
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource yara_rule

sample net_reactor
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

tmp

Files

tmp
.exe windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 4.1MB - Virtual size: 4.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 119KB - Virtual size: 118KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ