Extracted

• • Target

    2b9a64f8e7b800ea300fbb68500a3184_JaffaCakes118

  • Size

    2KB

  • MD5

    2b9a64f8e7b800ea300fbb68500a3184

  • SHA1

    18191da11de186380771db4e67abe007d26f9942

  • SHA256

    b58b42739a60da518b3cfe6ccda1755372b36ece77f14fbb2c1c4661a1df3fc6

  • SHA512

    8768f281aa085f2ca8dd7f23cf79901f265a3a00e6b05913015744f99e1bb42789138ec6a7ccf6a53e6947c42c0f130742ba85836f4319390a40d31d3b57b6c2

  Score

  10^/10

  rhadamanthyszgratexecutionratstealer

  • Detect ZGRat V1

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2