Extracted

• • Target

    815329af40c012e99c3adba70ebff5014fbde645b8e433344f51966d34580283.exe

  • Size

    1.4MB

  • MD5

    d2526483ef4129e63bbf80025b8e10ec

  • SHA1

    4c71c524cd7176b858db856e63fc39ab043595e7

  • SHA256

    815329af40c012e99c3adba70ebff5014fbde645b8e433344f51966d34580283

  • SHA512

    15c8913ecf7f234b0ad598f67d4073199635dba4e701fb4c6394e6919597977c931e2040129defd4c2132b4a927d1061714f16c11fdcde3fd3d49d8f301b65d0

  • SSDEEP

    24576:jrVwDIOjBTiCcv9WeAvHUFQkHNJxrx0uHctgGqM0FvjAirjlUIxB:j3dzA/CQk/d9ct0MEvjvj

  Score

  10^/10

  modiloaderzgratpersistenceratspywarestealertrojan

  • Detect ZGRat V1

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Detect packed .NET executables. Mostly AgentTeslaV4.

  • ModiLoader Second Stage

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads WinSCP keys stored on the system

    Tries to access WinSCP stored sessions.

    spywarestealer

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2