zgrat | fb35fa679d6452d6944de5029b1f9c39749d890d3322b90c017d35d78ac7b095 | Triage

Submit
Reports

Overview

overview

Static

static

7

OverWolf C....1.exe

windows10-1703-x64

Sharing

General

Target

OverWolf_Crypter.zip
Size

36.5MB
Sample

240501-yzy7psfe3y
MD5

6d2675dad2efbb61a8209337043cd06d
SHA1

53d9c069729291c6c567082dab3152ff102164dc
SHA256

fb35fa679d6452d6944de5029b1f9c39749d890d3322b90c017d35d78ac7b095
SHA512

07b8d95879a8f92dbbb67b2c9ba84a7cd50e1feeadbdda63f9cabf70e94a5a9496114199088b1f728c40cc797b105d86132e2927f94983df0e32bdd177daeaba
SSDEEP

786432:Ip4PvgSVcZuPrdc9mbxBXv1JvJEbWUGeIfaR5Zsegcx4a+kODq2:IKPvjcuRBb31JvJ2GnsZs5OODB

Score

10^/10

zgrat agilenet evasion rat themida trojan

Static task

static1

agilenet themida

3 signatures

Behavioral task

behavioral1

Sample

OverWolf Crypter 1.1.exe

Resource

win10-20240404-en

zgrat agilenet evasion rat themida trojan

windows10-1703-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  OverWolf Crypter 1.1.exe
- Size
  
  35.3MB
- MD5
  
  dea64aebd0b2051617afb8125de0d53e
- SHA1
  
  b0e4a4b64505d739e8b6cf0cb19daf7f19934e00
- SHA256
  
  50062d171fd4f80379d3a1bdadc1c4c6c4ac6a2640e708d8471f3dc9614e5ed4
- SHA512
  
  4d8f781c98dcfbfb9a262127a8fba6042901a49e2dfbeab57212b2ae72930718840dfdbf20058b206c149039c19a8f7be4b13a5c9d8185e572664f2c93160a4e
- SSDEEP
  
  786432:MfeJhmSTrKdgwppe+aJEe77zZY+HRzO/DPeZry7zd0:jpR+a6CJYGRzO/beVym
Score

10^/10

zgrat agilenet evasion rat themida trojan
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

agilenetthemida

behavioral1

zgratagilenetevasionratthemidatrojan

© 2018-2024

Terms | Privacy