MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e7db2246bd22d301a88bda71ad3f9f60455eeb9761e787ae9be5cbcda74c348. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e7db2246bd22d301a88bda71ad3f9f60455eeb9761e787ae9be5cbcda74c348
SHA3-384 hash: 896e306bab4072b8ab0b56bb0cc342e43077e5c234e756781801766789f6af51da2a64fa598dbed152b4a597f97480b5
SHA1 hash: a3d8e6c339ba9d0db1249f25374b3deb7b876979
MD5 hash: 6416792070e7b43ed911608ee1e3b527
humanhash: failed-foxtrot-juliet-montana
File name:SecuriteInfo.com.Trojan.MSIL.zgRAT.Heur.12729.4854
Download: download sample
Signature zgRAT
Create hunting rule
File size:6'095'224 bytes
First seen:2024-02-05 18:25:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'795 x AgentTesla, 19'692 x Formbook, 12'274 x SnakeKeylogger)
ssdeep 98304:Z9nO2MAlzxpHoHSUO6JncA5gjAKWofCfbFTP:Z9O2DWXqAKWICTlP
Threatray 7 similar samples on MalwareBazaar
TLSH T178568C0277918E53C63B1F32E493505043B5ED9B6F63E38B238262AD28733D95D5E29E
TrID 32.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
25.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
19.1% (.EXE) InstallShield setup (43053/19/16)
7.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.6% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon b4a49898988cc484 (1 x zgRAT)
Reporter SecuriteInfoCom
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/474775/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.zgRAT.Heur.12729.4854.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer lolbin lumma masquerade net overlay packed
Link:
https://www.filescan.io/uploads/65c12842a317adb74262ec90/reports/1a224dfc-abfc-4750-adda-df976d1dcce4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/0e7db2246bd22d301a88bda71ad3f9f60455eeb9761e787ae9be5cbcda74c348
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e41fb34d-a39c-45f0-985f-c47207bc0f4a
Result
Threat name:
LummaC, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1387056
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Malicious sample detected (through community Yara rule)
Sigma detected: Silenttrinity Stager Msbuild Activity
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0e7db2246bd22d301a88bda71ad3f9f60455eeb9761e787ae9be5cbcda74c348
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e7db2246bd22d301a88bda71ad3f9f60455eeb9761e787ae9be5cbcda74c348/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2024-02-05 18:26:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
135
AV detection:
14 of 24 (58.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bz63ejdl2iwtaguixwtrvu7z6ycfl3vzoyphq6xjxzolzwtuynea._file
Verdict:
malicious
Similar samples:
0e7db2246bd22d301a88bda71ad3f9f60455eeb9761e787ae9be5cbcda74c348
zgRAT
2d2f656317223a5ecdfc5378e5db2b4268b08917903d3a6d03691943fdd96819
zgRAT
7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e
zgRAT
c0d7231617470901a6047d790b9935ae087658d6805544c9ee4ce3f09efb055d
zgRAT
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:zgrat rat stealer
Link:
https://tria.ge/reports/240205-w269zsdhd2/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Detect ZGRat V1
Lumma Stealer
ZGRat
Malware Config
C2 Extraction:
https://pavementpreferencewjiao.site/api
Unpacked files
SH256 hash:
605ffc9a60adf12ffc6c113454743c4555e5652671d691fe7df54a553aaec9a3
MD5 hash:
60bfaa2026bcebb9cdf041c4e9122293
SHA1 hash:
662e5ad170f9dbbd0da010fd7c1867bfbd1aa07a
Link:
https://www.unpac.me/results/16d9fe8c-7545-41e8-8a69-5cb9d4279a59/
SH256 hash:
63366bb58836a4d9fc6a7fb5632ce6aeb52fd2ec57ea5d766b27bfedf7b7deee
MD5 hash:
a6810a5899b5a89ee483c9e94dacb015
SHA1 hash:
c787d081f7534936636b17d94ecee651fd64fdac
Link:
https://www.unpac.me/results/16d9fe8c-7545-41e8-8a69-5cb9d4279a59/
SH256 hash:
7ea5b89792c6e596a4fb70e27d04aec88a0eb7792a48e00749df374687e2dc5c
MD5 hash:
05704afcc1e8880edc8656fa2ee68794
SHA1 hash:
c110ff8324e5fb0da3184de5037b4fe97ffc0d3d
Link:
https://www.unpac.me/results/16d9fe8c-7545-41e8-8a69-5cb9d4279a59/
SH256 hash:
6a26df7ee49de6fec6c5de1f3f7a94075d2dfbc50922e3b30fd8111f2e734f33
MD5 hash:
f45c1512d5a47375e6e396b4d1111e58
SHA1 hash:
8af036b8c60d10e85cf82212930bb04bc0553f36
Link:
https://www.unpac.me/results/16d9fe8c-7545-41e8-8a69-5cb9d4279a59/
SH256 hash:
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
MD5 hash:
544cd51a596619b78e9b54b70088307d
SHA1 hash:
4769ddd2dbc1dc44b758964ed0bd231b85880b65
Link:
https://www.unpac.me/results/16d9fe8c-7545-41e8-8a69-5cb9d4279a59/
SH256 hash:
ee5d8d19b12e43459490c9c27024416c670a133fc3f1972fc8f24c6f2b80544c
MD5 hash:
2a3d628b8e04f48a8aea26a687cdc545
SHA1 hash:
e44b4764e00b4e3607f226ab0388403ee785e0bd
Link:
https://www.unpac.me/results/16d9fe8c-7545-41e8-8a69-5cb9d4279a59/
SH256 hash:
0e7db2246bd22d301a88bda71ad3f9f60455eeb9761e787ae9be5cbcda74c348
MD5 hash:
6416792070e7b43ed911608ee1e3b527
SHA1 hash:
a3d8e6c339ba9d0db1249f25374b3deb7b876979
Detections:
SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
MALWARE_Win_zgRAT
Create hunting rule
Link:
https://www.unpac.me/results/16d9fe8c-7545-41e8-8a69-5cb9d4279a59/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e7db2246bd2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
zgRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e7db2246bd22d301a88bda71ad3f9f60455eeb9761e787ae9be5cbcda74c348

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MALWARE_Win_zgRAT
Create hunting rule
Author:ditekSHen
Description:Detects zgRAT
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Author:dr4k0nia, modified by Florian Roth
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:https://github.com/dr4k0nia/yara-rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe 0e7db2246bd22d301a88bda71ad3f9f60455eeb9761e787ae9be5cbcda74c348

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2757169/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/474775/

Comments