General
-
Target
gbound.hta
-
Size
9KB
-
Sample
240513-d775cshf4t
-
MD5
344020eda12e49be499998ace856ed47
-
SHA1
f0a7431a73e7cb0be73fbc588bd91cf173f672d3
-
SHA256
355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4
-
SHA512
c3a949de4b8d79b84be37d4b4695a7ccde2b2da583ef998442cb0d9a7191756bcf3d67cf5c2da476f3590823177d07355a9151df32c10d259a32bc4f1fea3b90
-
SSDEEP
192:w1YCCf214wpenCk59zcntnonzcE6LChVg+D0SDs/:w/Cf214UenCkncntnonzcE6kVgmRs/
Static task
static1
Behavioral task
behavioral1
Sample
gbound.hta
Resource
win7-20231129-en
Malware Config
Targets
-
-
Target
gbound.hta
-
Size
9KB
-
MD5
344020eda12e49be499998ace856ed47
-
SHA1
f0a7431a73e7cb0be73fbc588bd91cf173f672d3
-
SHA256
355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4
-
SHA512
c3a949de4b8d79b84be37d4b4695a7ccde2b2da583ef998442cb0d9a7191756bcf3d67cf5c2da476f3590823177d07355a9151df32c10d259a32bc4f1fea3b90
-
SSDEEP
192:w1YCCf214wpenCk59zcntnonzcE6LChVg+D0SDs/:w/Cf214UenCkncntnonzcE6kVgmRs/
-
Detect ZGRat V1
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-