Extracted

• • Target

    ISetup8.exe

  • Size

    451KB

  • MD5

    762256f7246e75a7537109d5371af60b

  • SHA1

    953a670596dc2ded2aa93b6a1e6e3332aadfd7af

  • SHA256

    e43b79bf105ec37a7cfff9ad84ea28a0320f1aeba4b47fa5ad119672f9b52acb

  • SHA512

    aeb4937d560d212046404788cbfe85fafb412736c6e487409c6cbca9827c4a127865f060acb6982f07b78411ceec8052d29f8bb893efe7c357640bd594c55b48

  • SSDEEP

    6144:+0HYlMeYOX8mE94DowCxV0jZVqmnvi1UVX1Zbt2S0gjaUH:+04lMXmQ4LCxWjZji1U/rhaUH

  Score

  10^/10

  sectopratstealczgratzloaderbotnetdiscoveryevasionpersistenceratspywarestealertrojan

  • Detect ZGRat V1

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Registers COM server for autorun

    persistence

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2