Edit tour
Windows
Analysis Report
SecuriteInfo.com.Trojan.MSIL.zgRAT.Heur.21652.15881.exe
Overview
General Information
Detection
PureLog Stealer, zgRAT
Score: | 40 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Compliance
Score: | 36 |
Range: | 0 - 100 |
Signatures
Malicious sample detected (through community Yara rule)
Yara detected PureLog Stealer
Yara detected zgRAT
Modifies the windows firewall
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to many different domains
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
EXE planting / hijacking vulnerabilities found
Found URL in obfuscated visual basic script code
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- SecuriteInfo.com.Trojan.MSIL.zgRAT.Heur.21652.15881.exe (PID: 2632 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Trojan.MSI L.zgRAT.He ur.21652.1 5881.exe" MD5: 78537045A5E032D4AC93514F027C7A47) - FiddlerSetup.exe (PID: 6724 cmdline:
"C:\Users\ user~1\App Data\Local \Temp\nsiE 437.tmp\Fi ddlerSetup .exe" /D= MD5: 5D96B95B066D797C7C468D125882DDCF) - netsh.exe (PID: 7216 cmdline:
"C:\Window s\system32 \netsh.exe " advfirew all firewa ll delete rule name= "FiddlerPr oxy" MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - conhost.exe (PID: 7224 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - netsh.exe (PID: 7232 cmdline:
"C:\Window s\system32 \netsh.exe " advfirew all firewa ll add rul e name="Fi ddlerProxy " program= "C:\Users\ user\AppDa ta\Local\P rograms\Fi ddler\Fidd ler.exe" a ction=allo w profile= any dir=in edge=defe ruser prot ocol=tcp d escription ="Permit i nbound con nections t o Fiddler" MD5: 4E89A1A088BE715D6C946E55AB07C7DF) - conhost.exe (PID: 7252 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ngen.exe (PID: 7260 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\n gen.exe" i nstall "C: \Users\use r\AppData\ Local\Prog rams\Fiddl er\Fiddler .exe" MD5: B6C3FE33B436E5006514403824F17C66) - conhost.exe (PID: 7276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - mscorsvw.exe (PID: 7476 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 1cc - InterruptE vent 0 -NG ENProcess 1bc -Pipe 1c8 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7248 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 26c - InterruptE vent 0 -NG ENProcess 260 -Pipe 268 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7384 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 27c - InterruptE vent 0 -NG ENProcess 270 -Pipe 278 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7404 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 28c - InterruptE vent 0 -NG ENProcess 280 -Pipe 288 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7272 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 29c - InterruptE vent 0 -NG ENProcess 290 -Pipe 298 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7972 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 2ec - InterruptE vent 0 -NG ENProcess 2dc -Pipe 264 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 1860 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 2c8 - InterruptE vent 0 -NG ENProcess 2fc -Pipe 290 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 2840 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 2fc - InterruptE vent 0 -NG ENProcess 26c -Pipe 2c8 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 2992 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 2f4 - InterruptE vent 0 -NG ENProcess 294 -Pipe 304 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 1920 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 314 - InterruptE vent 0 -NG ENProcess 2f0 -Pipe 2ec -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 4736 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 314 - InterruptE vent 0 -NG ENProcess 2f0 -Pipe 2f4 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 5576 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 308 - InterruptE vent 0 -NG ENProcess 2f4 -Pipe 264 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 4704 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 270 - InterruptE vent 0 -NG ENProcess 2dc -Pipe 304 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 4240 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 270 - InterruptE vent 0 -NG ENProcess 330 -Pipe 328 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 5128 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 318 - InterruptE vent 0 -NG ENProcess 320 -Pipe 30c -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 1540 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 324 - InterruptE vent 0 -NG ENProcess 18c -Pipe 330 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 6488 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 2f4 - InterruptE vent 0 -NG ENProcess 280 -Pipe 270 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 2648 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 2dc - InterruptE vent 0 -NG ENProcess 324 -Pipe 2f4 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 2916 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 260 - InterruptE vent 0 -NG ENProcess 2a4 -Pipe 328 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 576 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 328 - InterruptE vent 0 -NG ENProcess 338 -Pipe 18c -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 3084 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 2dc - InterruptE vent 0 -NG ENProcess 320 -Pipe 334 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7900 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 318 - InterruptE vent 0 -NG ENProcess 34c -Pipe 31c -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 6544 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 324 - InterruptE vent 0 -NG ENProcess 354 -Pipe 328 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 2692 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 364 - InterruptE vent 0 -NG ENProcess 340 -Pipe 360 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 2056 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 388 - InterruptE vent 0 -NG ENProcess 38c -Pipe 398 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7372 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 388 - InterruptE vent 0 -NG ENProcess 370 -Pipe 36c -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7116 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 3b4 - InterruptE vent 0 -NG ENProcess 3a8 -Pipe 3b0 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 3588 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 3ac - InterruptE vent 0 -NG ENProcess 3cc -Pipe 394 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 2044 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 3a8 - InterruptE vent 0 -NG ENProcess 3ac -Pipe 384 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 4504 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 3d8 - InterruptE vent 0 -NG ENProcess 3dc -Pipe 3e8 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 6336 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 3a8 - InterruptE vent 0 -NG ENProcess 3b4 -Pipe 280 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7492 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 38c - InterruptE vent 0 -NG ENProcess 3a4 -Pipe 370 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 3576 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 3b8 - InterruptE vent 0 -NG ENProcess 3d0 -Pipe 3c4 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7944 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 3b8 - InterruptE vent 0 -NG ENProcess 3e4 -Pipe 3e0 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7360 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 3ac - InterruptE vent 0 -NG ENProcess 3ec -Pipe 3c0 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 2916 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 3b8 - InterruptE vent 0 -NG ENProcess 3a8 -Pipe 3c8 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 2928 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 3d0 - InterruptE vent 0 -NG ENProcess 3e4 -Pipe 3ec -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 6812 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 3d8 - InterruptE vent 0 -NG ENProcess 3bc -Pipe 3b8 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7048 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 390 - InterruptE vent 0 -NG ENProcess 3d8 -Pipe 3a0 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 5208 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 3d8 - InterruptE vent 0 -NG ENProcess 3ac -Pipe 3d4 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7240 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 390 - InterruptE vent 0 -NG ENProcess 3d8 -Pipe 3b8 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 2908 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 3e4 - InterruptE vent 0 -NG ENProcess 3d0 -Pipe 388 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 3920 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 38c - InterruptE vent 0 -NG ENProcess 3d8 -Pipe 3e4 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - conhost.exe (PID: 7508 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ngen.exe (PID: 7284 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\n gen.exe" i nstall "C: \Users\use r\AppData\ Local\Prog rams\Fiddl er\EnableL oopback.ex e" MD5: B6C3FE33B436E5006514403824F17C66) - conhost.exe (PID: 7328 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - mscorsvw.exe (PID: 6332 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 1d4 - InterruptE vent 0 -NG ENProcess 1c4 -Pipe 1d0 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 4524 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 2a4 - InterruptE vent 0 -NG ENProcess 298 -Pipe 2a0 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7748 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 2c0 - InterruptE vent 0 -NG ENProcess 268 -Pipe 2bc -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7216 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 2b4 - InterruptE vent 0 -NG ENProcess 2a8 -Pipe 2b0 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 5204 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 260 - InterruptE vent 0 -NG ENProcess 264 -Pipe 26c -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 7236 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 2c8 - InterruptE vent 0 -NG ENProcess 300 -Pipe 334 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - mscorsvw.exe (PID: 5932 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\ms corsvw.exe -StartupE vent 270 - InterruptE vent 0 -NG ENProcess 2b8 -Pipe 2c0 -Comme nt "NGen W orker Proc ess" MD5: 412A3FB0C25743DA59375C1E298933EA) - SetupHelper (PID: 7296 cmdline:
"C:\Users\ user\AppDa ta\Local\P rograms\Fi ddler\Setu pHelper" / a "C:\User s\user\App Data\Local \Programs\ Fiddler" MD5: 1289DC21A51FB89E685FA4C91764C00E) - conhost.exe (PID: 7312 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 7596 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://f iddler2.co m/r/?Fiddl er2FirstRu n MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 7880 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2660 --fi eld-trial- handle=224 4,i,180610 8220440884 7072,86548 6701862033 3004,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
MALWARE_Win_zgRAT | Detects zgRAT | ditekSHen |
| |
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
System Summary |
---|
Source: | Author: Max Altgelt (Nextron Systems): |
Source: | Author: frack113, Nasreddine Bencherchali: |
Source: | Author: frack113: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | Registry value created: | Jump to behavior |
Compliance |
---|
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior | ||
Source: | EXE: | Jump to behavior |
Source: | Static PE information: |
Source: | Registry value created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 1_2_0040687E | |
Source: | Code function: | 1_2_00405C2D | |
Source: | Code function: | 1_2_00402910 | |
Source: | Code function: | 3_2_00402910 | |
Source: | Code function: | 3_2_004069DF | |
Source: | Code function: | 3_2_00405D8E |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Network traffic detected: |
Source: | Binary string: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |