Extracted

• • Target

    e4877fdceffd87cec166b266532a431e0d5e7644d950ce9566d2f14bc18be5e2.exe

  • Size

    3.0MB

  • MD5

    097a014e9066d6a4dd30e057e18eb511

  • SHA1

    2baa37cdc9b69e4083fdf468240cbacb1f2851ae

  • SHA256

    e4877fdceffd87cec166b266532a431e0d5e7644d950ce9566d2f14bc18be5e2

  • SHA512

    3409f75f0d073146410ebf31f487626e0c5fc01abb962f56b673256e72981f3e4f5c063e6690feeff1b2937bd14b453c38823242c9dee9e607fe63888d9ad627

  • SSDEEP

    49152:HzcK4Uk57r6mnw8fqFEIawGt2jlobG+FVSA7tffhpZ4F/3:HzvMWmnZSVawGtjHFVS8ffDZ4J

  Score

  10^/10

  zgratratstealcvidarspywarestealer

  • Detect Vidar Stealer

    stealer

  • Detect ZGRat V1

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat

  • Detect binaries embedding considerable number of MFA browser extension IDs.

  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

  • Detects Windows executables referencing non-Windows User-Agents

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

  • Detects executables containing potential Windows Defender anti-emulation checks

  • Detects executables packed with unregistered version of .NET Reactor

  • Downloads MZ/PE file

  • .NET Reactor proctector

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Loads dropped DLL

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Suspicious use of SetThreadContext

  behavioral1behavioral2