MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09ceeefd3297e4ec6e500bb98bc0c8472f0e995834cba8a9673eeafd26117cff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09ceeefd3297e4ec6e500bb98bc0c8472f0e995834cba8a9673eeafd26117cff
SHA3-384 hash: fda1ceae33300a2c3fed8688f34bf7b420a96c8f721bbbeb8502a4fff773977b46d7a10396d0df6c22d98d855bca5f90
SHA1 hash: 101956cf564c0d23fdabcc60f7afc0d879cd2d08
MD5 hash: 787b4125660d64a6865c5b5ffef6e192
humanhash: lima-fix-california-wyoming
File name:injector resou_nls..scr
Download: download sample
Signature zgRAT
Create hunting rule
File size:54'872 bytes
First seen:2024-01-03 08:15:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'075 x AgentTesla, 20'033 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 384:+hWFNiTzJhM4mWDXzuHRN7rpb045DNR9zO0q:7FNKz/Jbza1b9z
TLSH T17E33FB4A6AE04832DDBB99BE6377A3F11BAC1F82685CE01517D07239663D2C27D10F39
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 8213013131341131 (10 x AsyncRAT, 4 x zgRAT, 1 x RedLineStealer)
Reporter tcains1
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://raw.githubusercontent.com/sdtam2/Game-Vone-Dll-Injector-Vanguard-Eac-Be/main/Injector/injector%20Resou%E2%80%AEnls..scr
Verdict:
No threats detected
Analysis date:
2024-01-03 08:09:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9448673c-8477-48bf-8480-7878a90e2f0c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Downloader.Msilzilla-10016022-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Creating a file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Creating a window
Searching for the window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin masquerade overlay packed redcap replace
Link:
https://www.filescan.io/uploads/659517c5b855eb36930ee183/reports/7c9b9d97-8c51-41ad-b8dd-6c429aa867e7/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/09ceeefd3297e4ec6e500bb98bc0c8472f0e995834cba8a9673eeafd26117cff
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/20843f64-4a78-4618-83ac-5dcfac600066
Result
Threat name:
AsyncRAT, Clipboard Hijacker, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1369165
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files to the startup folder
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected Clipboard Hijacker
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1369165 Sample: injector_resou_nls..scr.exe Startdate: 03/01/2024 Architecture: WINDOWS Score: 100 161 rentry.co 2->161 163 chrome.cloudflare-dns.com 2->163 165 cdn.discordapp.com 2->165 183 Snort IDS alert for network traffic 2->183 185 Found malware configuration 2->185 187 Malicious sample detected (through community Yara rule) 2->187 189 15 other signatures 2->189 12 injector_resou_nls..scr.exe 15 11 2->12         started        16 F2g3.exe 2->16         started        19 F2g3.exe 2->19         started        21 5 other processes 2->21 signatures3 process4 dnsIp5 169 rentry.co 192.99.247.115 OVHFR Canada 12->169 171 cdn.discordapp.com 162.159.134.233 CLOUDFLARENETUS United States 12->171 139 C:\Users\user\AppData\...\xxhfluu204.exe, PE32 12->139 dropped 141 C:\Users\user\AppData\...\seyvfxb3jt.exe, PE32 12->141 dropped 143 C:\Users\user\AppData\...\ld3afx0a33.exe, PE32 12->143 dropped 145 4 other malicious files 12->145 dropped 23 cmd.exe 1 12->23         started        25 cmd.exe 12->25         started        27 cmd.exe 12->27         started        35 5 other processes 12->35 175 Multi AV Scanner detection for dropped file 16->175 177 Writes to foreign memory regions 16->177 179 Allocates memory in foreign processes 16->179 29 RegAsm.exe 16->29         started        181 Injects a PE file into a foreign processes 19->181 38 2 other processes 19->38 31 WinrarServicer.exe 21->31         started        33 WinrarServicer.exe 21->33         started        40 3 other processes 21->40 file6 signatures7 process8 signatures9 42 ld3afx0a33.exe 2 23->42         started        45 conhost.exe 23->45         started        47 seyvfxb3jt.exe 25->47         started        49 conhost.exe 25->49         started        51 3yrznkbwt2.exe 27->51         started        54 conhost.exe 27->54         started        191 Uses schtasks.exe or at.exe to add and modify task schedules 35->191 56 ij4x0a3mzc.exe 35->56         started        58 xxhfluu204.exe 2 35->58         started        60 7 other processes 35->60 process10 file11 215 Multi AV Scanner detection for dropped file 42->215 217 Encrypted powershell cmdline option found 42->217 62 powershell.exe 14 17 42->62         started        66 powershell.exe 47->66         started        131 C:\Users\user\AppData\...\WinrarServicer.exe, PE32 51->131 dropped 219 Antivirus detection for dropped file 51->219 221 Suspicious powershell command line found 51->221 223 Machine Learning detection for dropped file 51->223 225 2 other signatures 51->225 68 powershell.exe 51->68         started        70 3yrznkbwt2.exe 51->70         started        72 cmd.exe 51->72         started        74 powershell.exe 56->74         started        76 powershell.exe 58->76         started        78 powershell.exe 60->78         started        81 powershell.exe 60->81         started        signatures12 process13 dnsIp14 147 C:\Users\user\AppData\Local\Temp\HBGE3.exe, PE32 62->147 dropped 227 Suspicious execution chain found 62->227 229 Powershell drops PE file 62->229 83 HBGE3.exe 62->83         started        87 conhost.exe 62->87         started        149 C:\Users\user\AppData\Local\Temp\4HBDD.exe, PE32 66->149 dropped 95 2 other processes 66->95 231 Creates multiple autostart registry keys 68->231 233 Potential dropper URLs found in powershell memory 68->233 89 conhost.exe 68->89         started        151 C:\Users\user\...\Microsoft.NET Framework.exe, PE32 70->151 dropped 97 2 other processes 72->97 153 C:\Users\user\AppData\Local\Temp\3HBDD.exe, PE32 74->153 dropped 99 2 other processes 74->99 155 C:\Users\user\AppData\Local\Temp\2HBGE3.exe, PE32 76->155 dropped 101 2 other processes 76->101 173 162.159.133.233 CLOUDFLARENETUS United States 78->173 157 C:\Users\user\AppData\Local\Temp\U73b.exe, PE32 78->157 dropped 91 conhost.exe 78->91         started        159 C:\Users\user\AppData\Local\Temp\5HBDD.exe, PE32 81->159 dropped 93 conhost.exe 81->93         started        file15 signatures16 process17 file18 133 C:\Users\user\AppData\Roaming\F2g3\F2g3.exe, PE32 83->133 dropped 193 Antivirus detection for dropped file 83->193 195 Multi AV Scanner detection for dropped file 83->195 197 Suspicious powershell command line found 83->197 199 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 83->199 103 powershell.exe 83->103         started        106 RegAsm.exe 83->106         started        109 cmd.exe 83->109         started        135 C:\Users\user\AppData\Roamingbehaviorgraphbn1behaviorgraphbn1.exe, PE32 95->135 dropped 201 Writes to foreign memory regions 95->201 203 Allocates memory in foreign processes 95->203 205 Injects a PE file into a foreign processes 95->205 111 powershell.exe 95->111         started        113 cmd.exe 95->113         started        115 RegAsm.exe 95->115         started        137 C:\Users\user\AppData\...\dCKYiBXBrf.exe, PE32 99->137 dropped 207 Creates multiple autostart registry keys 99->207 117 3HBDD.exe 99->117         started        209 Detected unpacking (changes PE section rights) 101->209 211 Machine Learning detection for dropped file 101->211 119 InstallUtil.exe 101->119         started        signatures19 process20 dnsIp21 213 Creates multiple autostart registry keys 103->213 121 conhost.exe 103->121         started        167 46.1.103.124 MILLENICOM-ASDE Turkey 106->167 123 conhost.exe 109->123         started        125 schtasks.exe 109->125         started        127 conhost.exe 111->127         started        129 conhost.exe 113->129         started        signatures22 process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/09ceeefd3297e4ec6e500bb98bc0c8472f0e995834cba8a9673eeafd26117cff
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09ceeefd3297e4ec6e500bb98bc0c8472f0e995834cba8a9673eeafd26117cff/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2023-12-30 16:33:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bhho57jss7soy3sqbo4yxqgii4xq5gkygtf2rklhh3vp2jqrpt7q._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:zgrat botnet:winlogoewg botnet:winlozb rat
Link:
https://tria.ge/reports/240103-j54xtafac9/
Behaviour
Creates scheduled task(s)
Enumerates processes with tasklist
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
Async RAT payload
AsyncRat
Detect ZGRat V1
ZGRat
Malware Config
C2 Extraction:
46.1.103.124:2341
46.1.103.124:9371
Unpacked files
SH256 hash:
09ceeefd3297e4ec6e500bb98bc0c8472f0e995834cba8a9673eeafd26117cff
MD5 hash:
787b4125660d64a6865c5b5ffef6e192
SHA1 hash:
101956cf564c0d23fdabcc60f7afc0d879cd2d08
Link:
https://www.unpac.me/results/f6707f32-854d-4893-999e-b60c6e78a9ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.17
Link:
https://yomi.yoroi.company/submissions/09ceeefd3297e4ec6e500bb98bc0c8472f0e995834cba8a9673eeafd26117cff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe 09ceeefd3297e4ec6e500bb98bc0c8472f0e995834cba8a9673eeafd26117cff

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2746182/
  
URLhaus
https://urlhaus.abuse.ch/url/2746183/
  
URLhaus
https://urlhaus.abuse.ch/url/2746184/
  
URLhaus
https://urlhaus.abuse.ch/url/2746185/
  
URLhaus
https://urlhaus.abuse.ch/url/2746212/

Comments