zgrat

Resubmissions

19/04/2024, 14:52

240419-r82wmafb32 10

19/04/2024, 14:48

240419-r6mnxsfa59 10

Sharing

Copy URL

Twitter E-mail

General

Target

dotNET_Reactor.zip
Size

16.9MB
Sample

240419-r82wmafb32
MD5

f4426ffd6d641bca1161b4ccca04a63c
SHA1

0262e258dc37f47b49e13355ff90d370d7bb53ba
SHA256

30202655ac09c4e87af419d8b461a2195fcc353f6ee7a6816b8075726e3e750b
SHA512

d89d070a62c9c850362a50e2922e1670a2473de38635dce7db7d32f91ec6a206c744e496a6da07c1e8460c5799f0883434a523e9d2ad171b90a88a801ae8c0ea
SSDEEP

393216:b0VcN4+XvRmPcT9Gh4MWhBwdA3gBpvc1fXyQlDVq8fB2nCZu7iqwLme:b0A/EPo9VMsB1WENVfdqAu4V

Score

10^/10

zgrat rat

Malware Config

Targets

- Target
  
  dotNET_Reactor/Help/License Agreement.html
- Size
  
  20KB
- MD5
  
  06c924279196f41e26319f9bf5e65bfa
- SHA1
  
  3c0077fdcb7fe9d2414e8490a165c5d45c78ac75
- SHA256
  
  ea175c9d9d6597cc35aebc53a6bdc10e1e914c6d5d6fc6c19e0da78b11b4b137
- SHA512
  
  d3234456a399628e0e4178612c1ebb02a37e74c3226f7cf31a1aa0330644debbe8f8095a83a7cb41dfc3ddd22695f8853a866094f0814d4698227de875625816
- SSDEEP
  
  384:Dhbkegxb0Fac9mfn3+2YCjDoAOIdHNY0B+:lAhxWfOnO6PAYq0B+
Score

1^/10
behavioral1
- Target
  
  dotNET_Reactor/Help/REACTOR_HELP.exe
- Size
  
  2.6MB
- MD5
  
  db1c91c8d1d7573371cac6a51bf3a1b9
- SHA1
  
  291fe96baeeca49fd4271f06b885477de284bf9c
- SHA256
  
  a3f0cebda251dcf4ccb5915d8ead90771f76e0df9fbb35193b74e4687852d473
- SHA512
  
  da066b919316ce98255562c41c4267dd3059695028d8c8b19ed1303a57b909efe0a333bb2d7a5020c5c0c88824e233242548d3673d7f8a01db11a393b92da3ca
- SSDEEP
  
  49152:7REPdRPWz0aXp8YttmYTnPFVpqW3LPDt78wqqRL9q2mhUdot8fsgL6WnWNM:72I0opZfTnPJVPDt78wqqlrm6St8fYWz
Score

4^/10
behavioral2
- Target
  
  dotNET_Reactor/NCC3.dll
- Size
  
  72KB
- MD5
  
  aa84f91edd922e7b3bb979e663c94f1a
- SHA1
  
  da46b9962a6c6cceef38c3e11b8b5bc9c1b536fa
- SHA256
  
  38274608d5a4b53ec22f8099f798ba46ce0ed41db65a33dfb3853f0dbf849f6f
- SHA512
  
  88392fc77a0300ece306908867be38011530d9eefdf003452ba86d82f2fa4a61c2b27a199f376ac307c095beaa4f52cefcab59c8b28fa187c0bca13f55f2d98b
- SSDEEP
  
  1536:a44UF/3qab79HtYDAD5MPEBq9iNv6qfSOBHfVW:a44G3fRMPiuuv6qqOBHfVW
Score

3^/10
behavioral3
- Target
  
  dotNET_Reactor/VS08ReactorAddin.dll
- Size
  
  133KB
- MD5
  
  b4c1e8023be1bd3af8425885ed5d02ce
- SHA1
  
  0d6e7eb3f8a6a442d7f7c030ddb0bdc5d907deed
- SHA256
  
  1952313f3a5c3b4e7a1269238dc070301c356bfb876471332d6439b6d3eefd12
- SHA512
  
  be0dec723b045afba3799435329b4c6dfa19997a4ba23725236f449990392f8531574eef1bf786bcf36777e7b72314d7210ed9e5508b114ae9a4112613436401
- SSDEEP
  
  1536:J1Ep+y0dr95DbEX1sJOSJCZQweMdYU+ZQweMdYU9:HS+y01fbEX+JOk
Score

1^/10
behavioral4
- Target
  
  dotNET_Reactor/VS13ReactorAddin.dll
- Size
  
  134KB
- MD5
  
  11ca1dfec3eaef207f6393d307cd5815
- SHA1
  
  c3e8d5267c6c295a0124dd396026ab07bf28ab09
- SHA256
  
  5e0efbda4f047575e7b7cd0ef047bddc7b05d5225f4a98a7d1ac93e28471e742
- SHA512
  
  bcac4268e3baf11ae8b8a87d6227f36b3c998040ef5301da5fd24e273d04827a74a5e027feb11decfddacfed2bbd2f86889fde63acf4e5c5c8adbc0e1b7ec935
- SSDEEP
  
  1536:xNfSLgOxb0fEonTpODxuHfr97OCzF1KRsNVpbdTRkr1sJOSJ4ZQweMdYUsZQweMc:xtScE8TIDefr97jFARsfpbd14+JOL
Score

1^/10
behavioral5
- Target
  
  dotNET_Reactor/VSPackage/15/dotNETReactorVSPackage.dll
- Size
  
  494KB
- MD5
  
  0a19a82669aec04520d5e4975483ba6e
- SHA1
  
  60a1ef331007b2bb4e1f9f0227343ffc91981a2f
- SHA256
  
  6af5fe0ee6ef40d813e22c376dfb0e2f240fd18cc9212370242449c343ab299f
- SHA512
  
  b76d54814eee0f2daaa641d3a2de8a89926115a53e13f1dc2a64d39aa7ca60d46c2f324e28b64978b4416c9135238b6bf7cf2b1b85506efe9bbe28940a396431
- SSDEEP
  
  768:Hcm08y23H9mFFcYdUtMfxVgkJWDXbcZj5XLwIiiiSSSSSSSSSSiiiiSSSSSSSSS6:8mHAFFcrIhWDXbcZ5w1nZQweMdYUp
Score

1^/10
behavioral6
- Target
  
  dotNET_Reactor/VSPackage/16/dotNETReactorVSPackage.dll
- Size
  
  519KB
- MD5
  
  64fab9617e4e2d948d68d9c11823039c
- SHA1
  
  a708dad42af651055b327a83e45954e368a6d343
- SHA256
  
  f4eacdb8c20c93fd4d7d1c4ef2c02c0949ac6eb2a7661a759f18613a100ce3ae
- SHA512
  
  4facf00b4e3348836a2ab51f6a442aca790c868e3abbff285a5043b885d82c453c9675717ca513ab33386cd559d2830a2178e16feea13c97d9849492900a098c
- SSDEEP
  
  3072:x/1RKji2074wvPR3TbMNRuWwRl1ASqqWT:xl4cPZbTWwRl1ASq
Score

1^/10
behavioral7
- Target
  
  dotNET_Reactor/VSPackage/17/dotNETReactorVSPackage.dll
- Size
  
  520KB
- MD5
  
  485ef536675fe48be65aa52158db8c75
- SHA1
  
  4f621754107cf58d7c45ae613b52ce13347982fc
- SHA256
  
  a53c16197c7c83e42c08d3e273e11467f991f85ec804686801c5ffcf073cb2f8
- SHA512
  
  44c1abab67a9c19d5f79388ee859dbd439c555c623d49fc286281c33f4fe492b2d02b578ce555711700d84e4de3f47512e532437ae5e15209597bbfceeeb4109
- SSDEEP
  
  1536:QLxQ2UWs68E3+BoQYNzJ6K3IbzMOJXRuGO26RciJ191Ak9VViqvn:iBUWsUvNd3IbJ1RuhRl1ASqqvn
Score

1^/10
behavioral8
- Target
  
  dotNET_Reactor/VSPackage/dotNET Reactor VSPackage.dll
- Size
  
  79KB
- MD5
  
  1d0bcae08d5dbeda966db1c40bfb1e63
- SHA1
  
  cd4226f668ba3ec60cb43f07b93cfd6030b33c72
- SHA256
  
  467f0149653f4f902e04c09680b3688331dd864d3c5b19a11823700a1088d887
- SHA512
  
  e5ae9cc174a0282f492f5740f50e73c40c64ab4de6a4d08f47067dce1321d7e88ce7bfc254bfdd6e5a9092f3d1e8018c9e0f27a0c15087b06ab9cf561c58b7f1
- SSDEEP
  
  1536:N8nMmUIi/v3vTJAgcic/CIbLfIruIZQweMdYUD:aMmU5Xs33bsrd
Score

1^/10
behavioral9
- Target
  
  dotNET_Reactor/VSReactorAddin.dll
- Size
  
  97KB
- MD5
  
  afc9814513e9cfb6a7905f1e6186e195
- SHA1
  
  641c75d7f0891fe5a4007b57cff863ee667a6d29
- SHA256
  
  a2629e2c3bf06260116bd88b07a8ee4fc8846367c9d8de53608ad5b4aadeb9db
- SHA512
  
  34ec4738c20b16fb22f600b0be84647a127d7c134365d53e78b8b3fcc5b38a4a91390503fd4d445b439831fe0fbd4a5bfa70216dc53c8df5daaa2b9f084a5f50
- SSDEEP
  
  1536:mnQAvDNONuHEEJTRkfLCbZGCZQweMdYUA1sJOSJE:lAvJKukYdkObZGt+JOt
Score

1^/10
behavioral10
- Target
  
  dotNET_Reactor/VSReactorAddin_Mycc.dll
- Size
  
  83KB
- MD5
  
  647a20820ac329add083be7bc04f0596
- SHA1
  
  fa7ea97a29f9e32921cbe0a9d3093cf9e8f3bcd3
- SHA256
  
  05d8a7d2562b9808c3c1bcea19dc7db9ad9ad9f64f21b386d2c7ee67b83e5dc8
- SHA512
  
  e191f0e156b6aa2fe66cf884f3ce50c14cb1437b131ec7e64a038a52ee9700529d47f6d08313bcffeefce446e1e0f30c8d489798359448b5b50fb32d269fa95a
- SSDEEP
  
  768:aeToqJPCR81M6CJoXKR2TZfWXNKeINdM0mDUNq1Q5DJOSJqb4+Hr9Or3bZGuewL5:aMo3W1HtZQweMdYUA1sJOSJ3iCbZGw
Score

1^/10
behavioral11
- Target
  
  dotNET_Reactor/dotNET_Reactor.Console.exe
- Size
  
  34KB
- MD5
  
  69d18a3245f3c2fd02c82304c494e977
- SHA1
  
  049cda6bc59daeadfe82fce2197e0e15c2847a7b
- SHA256
  
  b55b0a652538836ed681c2afd985310fd39ad2f31ac159847fc46a6065f3232e
- SHA512
  
  5791cffbc2389eaaf18e4f31c320325d4bdfadf7ab00c847bfedccbea8fec26a3f4452877d00c95e0573e90306d7a2c988c00fcb7d495ac22955c7f64fb047c3
- SSDEEP
  
  768:5oOABBREOgrMTPrZwbiRPp7yMkZwuzZyiRYn7:5oHB2OlfZwbixp7yMkZwWZyien7
Score

10^/10

zgrat rat
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral12
- Target
  
  dotNET_Reactor/dotNET_Reactor.exe
- Size
  
  13.3MB
- MD5
  
  bd73df4cf427511993075f7a16e037a5
- SHA1
  
  63f116641b0655f53e93d62ae559d510ed5af134
- SHA256
  
  fa0a32d408a8df70ec44f3d2374b058f57b86ff49b8068b8c68f8505d3463970
- SHA512
  
  49ad63e65e1f6a454778c904727c948969145eb09457105093af463d933413a7d30437051c7ddb8ded0b46d38b2018a1a78c83af582ab6775bef870057a9dfc3
- SSDEEP
  
  393216:xfuP82nPJiP63TKZqkoPrSz4rkZD1K1fU:xqPIPgTxkqrV6YN
Score

10^/10

zgrat rat
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13
- Target
  
  dotNET_Reactor/runtimes/brolib_x64.dll
- Size
  
  804KB
- MD5
  
  8088c07ec85e0d3149a9ba7c03129d16
- SHA1
  
  8341cf644ef0d94e5f7088bb478f19718586284a
- SHA256
  
  b3ab6d185c0f2d4af15df8c0af800a5c3dfcd725454da8809a9168587ef3c3e8
- SHA512
  
  7bb73483d8b4fad17e5c9792eaf2ecf88347d33aa38d0533579be9b25b516deed292c404334a5f5d242911c4a21e5ce5bc22bbcbed6f1aee4f7003572701ad04
- SSDEEP
  
  12288:Or3Tvu99YBDQCzVgi0LQJnN8ZXTw05nmZfRLMIAHhly9UF:OXvcY6JMJSiAmZfRL7Ama
Score

1^/10
behavioral14
- Target
  
  dotNET_Reactor/runtimes/brolib_x86.dll
- Size
  
  741KB
- MD5
  
  f32f8264a9be91fb4fc76e70943e67ab
- SHA1
  
  aa8d5ede0dd3647fb02c5d37c915b7599e0fff45
- SHA256
  
  993e764d172013dc43ead42a6d8e807194530957dffa06d5eec9b53e2a00934c
- SHA512
  
  1c29004739717c6c360b04bf66542828aad9f34bf0cc37e4a780c2613141c1e846d67b69dd7537479a488064147c5ba9530b4eb9b5171cdff8b5394314174e1e
- SSDEEP
  
  12288:xQsZg52nrBEgCF5kD2XFm2+3m2R9h8UXTw05nmZfRWMmAHhlyIu:xs2n1ExkD2XFm2+3m2+fAmZfRWVAx
Score

3^/10
behavioral15

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Targets

Detect ZGRat V1

.NET Reactor proctector

Suspicious use of NtSetInformationThreadHideFromDebugger

Detect ZGRat V1

ZGRat

.NET Reactor proctector

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15