Hunt package for 3 IOCs associated with ZynorRAT
Malware Family: ZynorRAT Total IOCs: 3 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| sha1_hash | 103b05b20c9c625fe9e38bc3973fc0cc58b797e7 | payload | 2026-06-17 | 95% |
| md5_hash | 8f4739d863929bd0b22a0d4a569cf72c | payload | 2026-06-17 | 95% |
| sha256_hash | 037e5fe028a60604523b840794d06c8f70a9c523a832a97ecaaccd9f419e364a | payload | 2026-06-17 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - ZynorRAT
let malicious_hashes = dynamic(["103b05b20c9c625fe9e38bc3973fc0cc58b797e7", "8f4739d863929bd0b22a0d4a569cf72c", "037e5fe028a60604523b840794d06c8f70a9c523a832a97ecaaccd9f419e364a"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using schtasks.exe
Description: A legitimate scheduled task is created using schtasks.exe to run a maintenance script.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with known benign command-line arguments or scripts.
Scenario: Admin using PowerShell.exe for system monitoring
Description: An administrator is using PowerShell to monitor system performance or collect logs, which may include commands similar to those used by ZynorRAT.
Filter/Exclusion: Exclude PowerShell scripts executed from trusted directories (e.g., C:\Windows\System32\) or by users with administrative privileges during known maintenance windows.
Scenario: Software update using msiexec.exe
Description: A legitimate software update is being deployed using msiexec.exe, which may trigger the same IOCs as ZynorRAT.
Filter/Exclusion: Exclude processes initiated by msiexec.exe with known update package hashes or from trusted vendor sources.
Scenario: Log collection using logparser.exe
Description: A log analysis tool like logparser.exe is being used to aggregate and analyze system logs, which may involve similar file or registry access patterns.
Filter/Exclusion: Exclude processes running logparser.exe with known log processing command-line arguments or from trusted log management tools.
Scenario: Backup job using vssadmin.exe
Description: A backup job is initiated using vssadmin.exe to create a shadow copy for data protection, which may involve similar system-level operations.
Filter/Exclusion: Exclude processes initiated by vssadmin.exe during scheduled backup windows or from known backup software vendors.