{
	"id": "c91d14a0-dd48-4b5c-92e5-c602bde66e1c",
	"created_at": "2026-04-06T00:11:07.986396Z",
	"updated_at": "2026-04-10T13:12:52.099618Z",
	"deleted_at": null,
	"sha1_hash": "4dd685c2c16eb622ffdd036f7e557066f4cc004b",
	"title": "ZIP files, make it bigger to avoid EDR detection - Gatewatcher",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 257447,
	"plain_text": "ZIP files, make it bigger to avoid EDR detection - Gatewatcher\r\nArchived: 2026-04-05 22:37:12 UTC\r\nOur Purple Team analysts have spotted a number of anomalies concerning zip files. ZIP is originally a file format\r\nfor archiving and compressing data without loss of quality. These files attracted our attention because they were\r\nabnormally large compared to the size of the zip archive, suggesting the presence of malware, for example.\r\nIn this example, the zip file is 2.5 MB in size, and the unzipped malware is 2.1 GB. After some research on VT\r\n(virus total) and other tools, we decided to investigate further.\r\nThis article reports on what we found.\r\nZIP and its usefulness\r\nBefore any advanced analysis of this file and its contents, we find out about the associated compression rates. For\r\na PE file, the maximum compression ratio is around 50%. In other words, if we have a 1GB executable file and\r\nwe compress it, we should end up with a zip file of around 500MB.\r\nFollowing this rule of proportionality, our file should be around 1GB, which is absolutely not the case. Starting\r\nwith a 2.1GB file and arriving at a 2.5MB zip archive, we obtain a compression ratio of 99%.\r\nIt appears that from this address, a padding of 0 is applied to the end of the file. Once this padding has been\r\nidentified, it can be removed, giving us a functional PE file of around 1 MB. The latter, after compression into a\r\nZip file, is around 500KB, thus verifying for this file the proportionality mentioned earlier.\r\nSo, we’ve identified why the compression ratio was so high, but why would we need to artificially obtain such a\r\nhigh compression ratio?\r\nThe answer lies in the detection systems and their parameters.\r\nhttps://www.gatewatcher.com/en/lab/zip-files-make-it-bigger-to-avoid-edr-detection/\r\nPage 1 of 3\n\nAs the PE file in the zip is most likely malicious, this technique would allow it to slip through the net of most\r\nEDRs. As EDRs have a default “limit”, files larger than 1GB, or even 2GB in some cases, are not analyzed. This\r\ntechnique is not new, but it is resurfacing with the rise of EDRs, which are just one of the many layers in a\r\ncompany’s attack detection and incident response system.\r\nIdentity and main characteristics of the file\r\nOnce the file had been extracted and sent to various sandboxes, we were able to get a more precise idea of the PE\r\nfile and what it was doing.\r\nThanks to our research, we can now say that we’re dealing with an Asyncrat agent, a RAT (Remote Access Trojan)\r\nthat can take control of a remote workstation via an encrypted connection and perform all kinds of malicious\r\nactions.\r\nFollowing our research and the various reports we were able to find on the subject, we identified the attacker’s\r\ncommand server.\r\nIn order to find out more about the infrastructure, we set out to find out a little more about the server in question.\r\nWhen looking for information on 45.81.243.217, we find a number of open ports and certificates. Let’s take a look\r\nat the certificate with CN (Common Name) Asyncrat. This information allows us to conclude that Asyncrat\r\nembeds certificates by default.\r\nThere are over 47,300 servers worldwide with the same certificate. As these servers use an Asyncrat certificate by\r\ndefault, it is more than likely that they are deployed by inexperienced attackers, or pentest teams, with a default\r\nconfiguration. This makes them particularly recognizable.\r\nZIP and padding, or how to avoid detection techniques ?\r\nDuring our investigations, we were able to report the use of a detection evasion technique, padding, to artificially\r\nincrease the size of the malware when decompressed.\r\nIn the course of our research into this malware, we identified it as a Trojan of the Asyncrat family. We also found\r\nthe attacker’s command server, enabling him to dialogue with the implant. By following the certificate we\r\ndiscovered a number of servers administered by attackers with a configuration using an Asyncrat certificate.\r\nIOCs concerning the malware described and another malware using a similar padding technique:\r\nhttps://www.gatewatcher.com/en/lab/zip-files-make-it-bigger-to-avoid-edr-detection/\r\nPage 2 of 3\n\nIOCs concerning Asyncrat’s infrastructure:\r\nSource: https://www.gatewatcher.com/en/lab/zip-files-make-it-bigger-to-avoid-edr-detection/\r\nhttps://www.gatewatcher.com/en/lab/zip-files-make-it-bigger-to-avoid-edr-detection/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.gatewatcher.com/en/lab/zip-files-make-it-bigger-to-avoid-edr-detection/"
	],
	"report_names": [
		"zip-files-make-it-bigger-to-avoid-edr-detection"
	],
	"threat_actors": [],
	"ts_created_at": 1775434267,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4dd685c2c16eb622ffdd036f7e557066f4cc004b.pdf",
		"text": "https://archive.orkl.eu/4dd685c2c16eb622ffdd036f7e557066f4cc004b.txt",
		"img": "https://archive.orkl.eu/4dd685c2c16eb622ffdd036f7e557066f4cc004b.jpg"
	}
}