MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 144c1d3420429517a83b91bc35424b519d2c79b7d9c78cfe14ad84b7ac7e2e87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 144c1d3420429517a83b91bc35424b519d2c79b7d9c78cfe14ad84b7ac7e2e87
SHA3-384 hash: e340376021515ce7435536f1fa6c0d55ad0aec83df86b501f8a5a6bf3be66443582960d543d42d99c4af7f7b70bf9778
SHA1 hash: 5c4d146316f45afe7193d45ceea6be614f672e9f
MD5 hash: 16c2d163dc4befc51cb1f9fff79176c6
humanhash: monkey-stairway-beer-washington
File name:16c2d163dc4befc51cb1f9fff79176c6.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:804'352 bytes
First seen:2023-01-13 16:51:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:oxk0NrbdBEh36KPSgUsHW3TkBzuEY8PBr38g1Y89+aWwmo3gb93Y1hksowuDZYky:ouscUWB7YOSggdwZwb9whksBuVjy
Threatray 707 similar samples on MalwareBazaar
TLSH T1C305F10BA7ECDBF3C0A3492219590DF2E102FD7F1B97591762A5FA1DD84E49C10B2636
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
16c2d163dc4befc51cb1f9fff79176c6.exe
Verdict:
Malicious activity
Analysis date:
2023-01-13 16:56:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f8ef205a-514a-439d-a0cf-a0f382627571

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/352677/
Detection(s):
SecuriteInfo.com.Variant.Lazy.285241.25719.1048.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c18c33eceae563152cc7a3/reports/68eef4c8-52b7-43fd-99d3-cba4103ac93d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9773f4fd-e6eb-4d47-aa57-1cb45d44aa9c
Result
Threat name:
Clipboard Hijacker, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1151260
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Costura Assembly Loader
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 783995 Sample: zSVNd714MM.exe Startdate: 13/01/2023 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus / Scanner detection for submitted sample 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 6 other signatures 2->39 8 zSVNd714MM.exe 3 2->8         started        12 oobeldr.exe 3 2->12         started        process3 file4 27 C:\Users\user\AppData\...\zSVNd714MM.exe.log, ASCII 8->27 dropped 41 Found evasive API chain (may stop execution after checking mutex) 8->41 43 Uses schtasks.exe or at.exe to add and modify task schedules 8->43 45 Injects a PE file into a foreign processes 8->45 47 Contains functionality to compare user and computer (likely to detect sandboxes) 8->47 14 zSVNd714MM.exe 2 8->14         started        49 Antivirus detection for dropped file 12->49 51 Multi AV Scanner detection for dropped file 12->51 53 Machine Learning detection for dropped file 12->53 17 oobeldr.exe 12->17         started        signatures5 process6 file7 29 C:\Users\user\AppData\Roaming\...\oobeldr.exe, PE32 14->29 dropped 31 C:\Users\user\...\oobeldr.exe:Zone.Identifier, ASCII 14->31 dropped 19 schtasks.exe 1 14->19         started        21 schtasks.exe 1 17->21         started        process8 process9 23 conhost.exe 19->23         started        25 conhost.exe 21->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/144c1d3420429517a83b91bc35424b519d2c79b7d9c78cfe14ad84b7ac7e2e87/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2023-01-13 16:52:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=crgb2nbaikkrpkb3sg6dkqslkgosy6nx3hdyz7quvwclpld6f2dq._file
Verdict:
malicious
Similar samples:
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
zgRAT
1136869b303bfb491fda58869c898c19d9086fe34fd752018e49804481c6fbb1
zgRAT
3d8df24ce7381b4dfbd331934ae68aa3c822ba8518ccd967b5b1697ee31dea29
zgRAT
6da6fa5a959ad50302b32db9fad3862abcbd0597402941d66935203300d52821
zgRAT
7965e9813714dba016ee3034616a12092c71818443a0c269d3ab8791b9883eec
zgRAT
98d78baf7a1ceff6ec4f3d2330a30075df9c461d03ceaac23c478112bb333d48
zgRAT
a13d5f2dedff839d945268116a3ba08cc0d5e17ed2b519477d118b447c02929f
zgRAT
c0a5183fb178f4734580069f8697419dd8883a88bf69e57a2edb109d15d5cc9d
zgRAT
d0d03da3e2d11c18da8588b4061ea885005160f3bfb0f30f62aa582285ed2e9f
zgRAT
eac172cbeaa29cd3fe3dc4980e58f9f3765644d484bd0bed19c61a2c42c515e0
zgRAT
+ 697 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230113-vdez6aed5y/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
31f2c87894dd6e82bea1d5cee8a01da3017c31e609b94601ff52d76d1a74cda1
MD5 hash:
48bba408c625a03790bfcc7c5bb31ef1
SHA1 hash:
0f3500aa665d868b5c917f3aed6d95dc8f1466c4
Link:
https://www.unpac.me/results/38bb10ea-6eb7-4808-ab7b-28d14b146eaa/
SH256 hash:
144c1d3420429517a83b91bc35424b519d2c79b7d9c78cfe14ad84b7ac7e2e87
MD5 hash:
16c2d163dc4befc51cb1f9fff79176c6
SHA1 hash:
5c4d146316f45afe7193d45ceea6be614f672e9f
Link:
https://www.unpac.me/results/38bb10ea-6eb7-4808-ab7b-28d14b146eaa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/144c1d3420429517a83b91bc35424b519d2c79b7d9c78cfe14ad84b7ac7e2e87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe 144c1d3420429517a83b91bc35424b519d2c79b7d9c78cfe14ad84b7ac7e2e87

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2506768/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/352677/

Comments