Extracted

• • Target

    dc87c553f18d409daafd6af7f4feaab1685367c573d22181ca1397737b92d93b

  • Size

    409KB

  • MD5

    29c17bac7bd976f82a4d3585d17fb89b

  • SHA1

    940c2887c6119ab5d1d122aafdf2202dfb531379

  • SHA256

    dc87c553f18d409daafd6af7f4feaab1685367c573d22181ca1397737b92d93b

  • SHA512

    7b5cc9660553e2b678785e44f36cb539267326d32818389954421c1399ace8ec05329a25e774d195119f8349e1b7aed94f7159e84c479510e6ce8d360134e928

  • SSDEEP

    6144:Jm6lOzD+VISaP8j/1+UtArRTOpGEsKmqYBd3a5eRkTjzUAfJkm/:w6lOzyVIbPzcA1WGwmqqdqU6LHum/

  Score

  10^/10

  buerstealczgratdiscoveryloaderpersistenceratspywarestealer

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer

  • Detect ZGRat V1

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  behavioral1behavioral2