Extracted

• • Target

    d509e1399b2d2b7e63fa606b7a6c2337f1dba88aa129f38f2d64c94cea1c2596

  • Size

    455KB

  • MD5

    c592d8df384b0fa730dda4f3b486b433

  • SHA1

    d01f0fabf1e1cd1e2baecf9859ebab7fb8d32adb

  • SHA256

    d509e1399b2d2b7e63fa606b7a6c2337f1dba88aa129f38f2d64c94cea1c2596

  • SHA512

    dc6c00639dd63496ee326838f242104ceb15e53df049b318b6d6e2d5510bdab4fba6d47fb46af994e375f13554ba519a4bce78ab4e939a40ddcb0d407fd61e5b

  • SSDEEP

    6144:/kQovcEzShy9BhYyKVPJq/URCX68fELkHlVAwmN8HGPq1Mv4qb4/f:8QoUgSUAnRCL8YHLAWH9eAU4/f

  Score

  10^/10

  sectopratstealczgratdiscoveryratspywarestealertrojanbuerloader

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer

  • Detect ZGRat V1

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of SetThreadContext

  behavioral1behavioral2