Extracted

• • Target

    Iz{$_owt)[.exe

  • Size

    717KB

  • MD5

    ec88a4c1dcfb3861f6c9c364deeabd94

  • SHA1

    ed0d81e041345ddc9ff9fea8bad197ee1a66fe82

  • SHA256

    23722503bdcc20ab9e6482bb2d3e92e50b13443799f361975bb36a91f0eeb895

  • SHA512

    81f6ed64f54778aa59afbc515dd6a40b5acac397348801dadbddcfdc15711144c3085e08099ba2a28a98055039916ade0e0cde1ea6fcf78b1f5962e8651609a7

  • SSDEEP

    12288:rtHCL6YFXDk8fwYXzlRLf3AM+lsEttF2s9NgztG2Qk/sxJhT:xHq6Y5hRLsGEvF2sOtGkIh

  Score

  10^/10

  azorultzgratdiscoveryevasioninfostealerrattrojanupx

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Detect ZGRat V1

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Downloads MZ/PE file

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1