Extracted

• • Target

    0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe

  • Size

    409KB

  • MD5

    edcd9de4254f050ffa56e723be49c0c5

  • SHA1

    054c541726383f1d70572f72a83ad86061141d64

  • SHA256

    0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3

  • SHA512

    aadf2f8fd82146c1174efe01261871caff89ba0ca3b18c6be77472609b8dbfa8b4c2b9d15968a7d423be9af0c79005311663478bd6d79fbcb87cf42a5bd20328

  • SSDEEP

    12288:AiwMdowCeYkiyh9bGfD7NUwW1ROABchrj9j48Re9TY:AiwQowukiS4iwGROuqrj91

  Score

  10^/10

  gluptebastealczgratdropperevasionexecutionloaderratstealertrojanupx

  • Detect ZGRat V1

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba payload

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Modifies boot configuration data using bcdedit

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Possible attempt to disable PatchGuard

    Rootkits can use kernel patching to embed themselves in an operating system.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Windows security modification

    evasiontrojan

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2