MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04f692202efaca511b15aefa33daf5bea9287c8e8947fb62e92d3825e5ec04ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04f692202efaca511b15aefa33daf5bea9287c8e8947fb62e92d3825e5ec04ae
SHA3-384 hash: 1fbf6b4f13d94f5f66d2b688937e563d43cedfa57b4714b146d94f11231f1aea85beacc8dd1a7f855b273dc33ad0e6c7
SHA1 hash: 945b9bba996c54233daa15be3349441286b040cb
MD5 hash: 1ed9f9bb8c6f1d5c482b4bbf61cf8ee8
humanhash: avocado-wisconsin-ceiling-lion
File name:SecuriteInfo.com.Win64.PWSX-gen.15914.1593
Download: download sample
Signature zgRAT
Create hunting rule
File size:1'088'000 bytes
First seen:2023-11-17 11:29:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:BKoDXIOa8ymdLfTpg2H2j6QOsHEARhz0YYeqkkaNDd1:BaOtymdL792j63+1z0YYqR
Threatray 653 similar samples on MalwareBazaar
TLSH T1E435F117FAAA4EB0C6C91737C6EE52142774D782B293E70A398E13ED1803376EC25597
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter SecuriteInfoCom
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
367
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458938/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.15914.1593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Restart of the analyzed sample
Creating a file
Creating a process from a recently created file
Launching a process
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/65574ebdfa405e75804c6ac3/reports/ef29e74f-3c4a-4f46-a0dc-58e698932765/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/04f692202efaca511b15aefa33daf5bea9287c8e8947fb62e92d3825e5ec04ae
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e2a81b15-070f-467b-9dc3-58010ec7eb4d
Result
Threat name:
Vidar, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1344086
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Vidar
Yara detected Vidar stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1344086 Sample: SecuriteInfo.com.Win64.PWSX... Startdate: 17/11/2023 Architecture: WINDOWS Score: 100 65 t.me 2->65 67 fp2e7a.wpc.phicdn.net 2->67 69 fp2e7a.wpc.2be4.phicdn.net 2->69 81 Snort IDS alert for network traffic 2->81 83 Multi AV Scanner detection for domain / URL 2->83 85 Antivirus detection for URL or domain 2->85 87 12 other signatures 2->87 9 Eras.exe 3 2->9         started        12 yblrxbx.exe 2->12         started        16 SecuriteInfo.com.Win64.PWSX-gen.15914.1593.exe 3 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 107 Antivirus detection for dropped file 9->107 109 Multi AV Scanner detection for dropped file 9->109 111 Machine Learning detection for dropped file 9->111 20 Eras.exe 2 9->20         started        75 t.me 149.154.167.99, 443, 49709 TELEGRAMRU United Kingdom 12->75 77 116.202.189.41, 443, 49715, 49718 HETZNER-ASDE Germany 12->77 55 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 12->55 dropped 57 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->57 dropped 59 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 12->59 dropped 63 10 other files (6 malicious) 12->63 dropped 113 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->113 115 Found many strings related to Crypto-Wallets (likely being stolen) 12->115 117 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->117 131 2 other signatures 12->131 23 conhost.exe 12->23         started        119 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->119 121 Modifies the context of a thread in another process (thread injection) 16->121 123 Injects a PE file into a foreign processes 16->123 25 SecuriteInfo.com.Win64.PWSX-gen.15914.1593.exe 6 16->25         started        79 213.139.207.234, 49734, 49745, 49759 SERVERHOSH-AS-APServerhoshInternetServiceNL Netherlands 18->79 61 C:\Users\user\AppData\Roaming\...\bbbc.exe, PE32 18->61 dropped 125 Suspicious powershell command line found 18->125 127 Creates autostart registry keys with suspicious names 18->127 129 Creates multiple autostart registry keys 18->129 28 powershell.exe 18->28         started        30 conhost.exe 18->30         started        32 WerFault.exe 18->32         started        34 17 other processes 18->34 file6 signatures7 process8 file9 89 Writes to foreign memory regions 20->89 91 Modifies the context of a thread in another process (thread injection) 20->91 93 Sample uses process hollowing technique 20->93 95 Injects a PE file into a foreign processes 20->95 36 MSBuild.exe 3 20->36         started        45 C:\Users\user\AppData\Local\...ras.exe, PE32+ 25->45 dropped 97 Creates multiple autostart registry keys 28->97 39 conhost.exe 28->39         started        signatures10 process11 signatures12 99 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->99 101 Modifies the context of a thread in another process (thread injection) 36->101 103 Injects a PE file into a foreign processes 36->103 105 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 36->105 41 MSBuild.exe 15 8 36->41         started        process13 dnsIp14 71 185.196.9.161, 49705, 49711, 49724 SIMPLECARRIERCH Switzerland 41->71 73 80.85.241.193, 49704, 49706, 49707 MEDIAL-ASRU Russian Federation 41->73 47 C:\Users\user\AppData\Local\...\zfnvhynq.exe, PE32 41->47 dropped 49 C:\Users\user\AppData\Local\...\yblrxbx.exe, PE32 41->49 dropped 51 C:\Users\user\AppData\Local\...\xvquirn.exe, PE32 41->51 dropped 53 3 other malicious files 41->53 dropped file15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/04f692202efaca511b15aefa33daf5bea9287c8e8947fb62e92d3825e5ec04ae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04f692202efaca511b15aefa33daf5bea9287c8e8947fb62e92d3825e5ec04ae/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-16 19:10:06 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
14 of 23 (60.87%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=at3jeibo7lffcgyvv35dhwxvx2usq7eorfd7wyxjfu4clzpmasxa._file
Verdict:
malicious
Similar samples:
04f692202efaca511b15aefa33daf5bea9287c8e8947fb62e92d3825e5ec04ae
zgRAT
646b832c7b5c5245cfeece67567c8a6181e44595e54fc8e28ce6aa5b7350ea46
zgRAT
acc856cd5bbff56054c263244867b8fcebc9e81899ba7ec83a243364f71d7137
zgRAT
b6b0d6b91bb76f5a9b270d15326ddb9fe5dd2be82e89f095e95be2ddc9b925f0
zgRAT
f12c01c92c77f32cfff5d3416cf90449b41fae3d885c04a6992b154a1da745ba
zgRAT
+ 643 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat discovery rat spyware stealer
Link:
https://tria.ge/reports/231117-nl53zsha36/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Reads data files stored by FTP clients
Downloads MZ/PE file
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
04f692202efaca511b15aefa33daf5bea9287c8e8947fb62e92d3825e5ec04ae
MD5 hash:
1ed9f9bb8c6f1d5c482b4bbf61cf8ee8
SHA1 hash:
945b9bba996c54233daa15be3349441286b040cb
Link:
https://www.unpac.me/results/4ab6e525-d550-4960-aac5-ce020e254fa0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04f692202efaca511b15aefa33daf5bea9287c8e8947fb62e92d3825e5ec04ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe 04f692202efaca511b15aefa33daf5bea9287c8e8947fb62e92d3825e5ec04ae

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/458938/
  
URLhaus
https://urlhaus.abuse.ch/url/2731419/
  
Delivery method
Distributed via web download

Comments