MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d4d15a76dd432ca5d062ffc6fab045e07c1944d5f24c6f42c500685611476bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d4d15a76dd432ca5d062ffc6fab045e07c1944d5f24c6f42c500685611476bf
SHA3-384 hash: bc00178bf6aabd247e939edc8ce1242b2d99b4c9ef7d13fcf3ff3ee0bcf8a708ee0da8e6daa00d1191d868252847a1e5
SHA1 hash: bcfde5981cf564329d0185855d884c8e5ecb7f5e
MD5 hash: f067a7a3e811269190110cf19310c60c
humanhash: princess-black-green-fifteen
File name:Photoshop2023InstaI_debloated.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:14'596'096 bytes
First seen:2023-02-06 04:23:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 98304:iMc/pnlos7z1pNe5WVp9vLFiU1j/GIZG+gkjfd52FP7ldXS8ZZlF4K22Fs0Z8g8X:Fc/5lo60MJx/tVdcjldzZiKbZPV
Threatray 631 similar samples on MalwareBazaar
TLSH T15DE63A4BA6C68E92C7602B3BC1AA810987D5D7A02707E32BDD5F131B1E53B7D74861E3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70f0c9e0dcd8d8de (3 x RedLineStealer, 2 x CoinMiner, 2 x DCRat)
Reporter x3ph1
Tags:exe Racoon recordbreaker zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Photoshop2023InstaI_debloated.exe
Verdict:
Malicious activity
Analysis date:
2023-02-06 04:25:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8128f5b2-09d6-4b04-b3dd-86502f1a7a50

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed packed
Link:
https://www.filescan.io/uploads/63e080e589bd67c10fdcb522/reports/748ce486-75fd-4ccf-a3e3-52db74a1b866/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/0d4d15a76dd432ca5d062ffc6fab045e07c1944d5f24c6f42c500685611476bf
Result
Verdict:
MALICIOUS
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0189196-68c7-4f8b-b0df-6da672605679
Result
Threat name:
Raccoon Stealer v2, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166242
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Raccoon Stealer v2
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 799013 Sample: Photoshop2023InstaI_debloated.exe Startdate: 06/02/2023 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 6 other signatures 2->45 7 Photoshop2023InstaI_debloated.exe 3 2->7         started        process3 file4 19 C:\...\Photoshop2023InstaI_debloated.exe.log, CSV 7->19 dropped 47 Writes to foreign memory regions 7->47 49 Injects a PE file into a foreign processes 7->49 11 RegAsm.exe 24 7->11         started        signatures5 process6 dnsIp7 29 45.15.156.50, 49719, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 11->29 31 104.193.254.97, 49722, 80 HOSTING-SOLUTIONSUS United States 11->31 21 C:\Users\user\AppData\Local\...\KY5Tqd4j.exe, PE32+ 11->21 dropped 23 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 11->23 dropped 25 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 11->25 dropped 27 5 other files (3 malicious) 11->27 dropped 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 53 Tries to steal Crypto Currency Wallets 11->53 55 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->55 16 KY5Tqd4j.exe 2 11->16         started        file8 signatures9 process10 signatures11 33 Antivirus detection for dropped file 16->33 35 Multi AV Scanner detection for dropped file 16->35 37 Machine Learning detection for dropped file 16->37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d4d15a76dd432ca5d062ffc6fab045e07c1944d5f24c6f42c500685611476bf/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-06 04:24:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bvgrlj3n2qzmuxigf76g7kyelyd4dfcnl4smn5bmkadikyiuo27q._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
19ef515572e854be0638523790c2f83ab245178b3c27746dc9f9b04c1c1319b2
zgRAT
23b137ce3bf552461beac7baf3a449a620010feac5cf69a1864e40b5efa04c2d
zgRAT
47f55d901f3a0fcc649afa6e44bd4307fffd877ac92a33fde21992a93e54b27d
zgRAT
5ef4fd560a82075638665b526a2b687ebc5c647a0ba0781b8566433f63c71f5f
zgRAT
c7d3d775fda24b3244022a1488315c51a55d54e155b8e788583c0d50a4a9f5e9
zgRAT
fa5ac27700f443ba8bc0509f2ce8c1c0be408e3dbca55a07de27f7d1bcb5de16
zgRAT
+ 621 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230206-e1dslsca88/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
.NET Reactor proctector
Unpacked files
SH256 hash:
f2cde4100fdbb5841b0f68e1c5dbba912b38478e64698c0238edb62415d1ad70
MD5 hash:
3e2fd3c6aef426ee110e27a2a0ce1f8b
SHA1 hash:
35966d13bbfbe4a85478343b35d1b4d5297fcbd1
Link:
https://www.unpac.me/results/638eb2e1-e714-4c96-9686-2b62f134cd8e/
SH256 hash:
015466aa457025b07ba46cd7d1b3b73067a0304d02a0ca953be47de8713e8ff6
MD5 hash:
96d0baf48ec7e1a6555fc318fb1e7855
SHA1 hash:
19397618b764f81519e6a9cbac0cf68b3b357a46
Link:
https://www.unpac.me/results/638eb2e1-e714-4c96-9686-2b62f134cd8e/
SH256 hash:
0d4d15a76dd432ca5d062ffc6fab045e07c1944d5f24c6f42c500685611476bf
MD5 hash:
f067a7a3e811269190110cf19310c60c
SHA1 hash:
bcfde5981cf564329d0185855d884c8e5ecb7f5e
Link:
https://www.unpac.me/results/638eb2e1-e714-4c96-9686-2b62f134cd8e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/0d4d15a76dd432ca5d062ffc6fab045e07c1944d5f24c6f42c500685611476bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_zgRAT
Create hunting rule
Author:ditekSHen
Description:Detects zgRAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments