Extracted

• • Target

    19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3

  • Size

    347KB

  • MD5

    f22010f23446baebc9bc52f97b0b2df8

  • SHA1

    8f5ccc85fb2eea1f496402df21faf0f988a196f2

  • SHA256

    19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3

  • SHA512

    bb72d18151c438b67f047689e48970849b7352d990beba3eaebdecb0f62b3ced2205ae55cd76871dff925ba7b8ba25d5354340993753679932e51efcdf3c6e96

  • SSDEEP

    6144:dD0MWKPc0wJk+uRjiu4FpXFr9TgvzI3OrfP:aMWPJKQFpXFR0vzjP

  Score

  10^/10

  sectopratstealczgratzloaderbootkitbotnetdiscoveryevasionpersistenceratspywarestealertrojan

  • Detect ZGRat V1

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Zloader, Terdot, DELoader, ZeusSphinx

    Zloader is a malware strain that was initially discovered back in August 2015.

    trojanbotnetzloader

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Registers COM server for autorun

    persistence

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks for any installed AV software in registry

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2