Extracted

• • Target

    a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0.exe

  • Size

    2.7MB

  • MD5

    731ff38afbc5a664f5a458e222d91f84

  • SHA1

    5105f89898a3d9e5b5b52ddcd7d0a3b167aaf701

  • SHA256

    a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0

  • SHA512

    910b1c9fb8e28c3f24d35a875ff86f3ab2e2c573797e078ece204538a3bdc6d42bc92531197e57be577ffb2e4cacdd53fec6a61843e6c69be4794e68506f68c3

  • SSDEEP

    24576:3RoBHi3buy4toE1jC6Ayo2xhWLbSPlqRvc68XzRVGvxB5VA0UC1dUUKj/OZ8j3g3:BoKmo4jC6TovDRUC1doj/Tg3

  Score

  10^/10

  gluptebastealczgratdiscoverydropperevasionexecutionloaderratspywarestealer

  • Detect ZGRat V1

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba

  • Glupteba payload

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Detect binaries embedding considerable number of MFA browser extension IDs.

  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

  • Detects Windows executables referencing non-Windows User-Agents

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects encrypted or obfuscated .NET executables

  • Detects executables (downlaoders) containing URLs to raw contents of a paste

  • Detects executables Discord URL observed in first stage droppers

  • Detects executables containing URLs to raw contents of a Github gist

  • Detects executables containing artifacts associated with disabling Widnows Defender

  • Detects executables referencing many varying, potentially fake Windows User-Agents

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Drops Chrome extension

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2