MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20b89a8296a96e52a88a481dfcc75233cc55a800eda489ff0a3adc978dba3c82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20b89a8296a96e52a88a481dfcc75233cc55a800eda489ff0a3adc978dba3c82
SHA3-384 hash: 299ba290f71efe6217c91e9fcb56f9de9d5e3e205b9b243c9f21d6fed416ef410e8fbe93edb441d93cc0c9d196a53f2f
SHA1 hash: eefee2367bff4605a644a6c5971ec72afd0a1298
MD5 hash: 4f17ae42ec9072ad980e3a141e0de8ec
humanhash: march-crazy-autumn-west
File name:4f17ae42ec9072ad980e3a141e0de8ec
Download: download sample
Signature zgRAT
Create hunting rule
File size:1'942'528 bytes
First seen:2024-03-18 07:12:22 UTC
Last seen:2024-03-18 09:26:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:SCPOY+YZtr7iTac1Vqb8AGwJUHa2tZ3HNBRcDfGETf3XOiTX5ajXKoydFx5J5aSP:SCPj+Waac1FAq1HX6DfGETfnNXkb2rP
Threatray 21 similar samples on MalwareBazaar
TLSH T1FD95338058835AADC4DE0AB88FAED29383F31261B91D1C5EBBD976694F3F74C1637121
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
350
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
20b89a8296a96e52a88a481dfcc75233cc55a800eda489ff0a3adc978dba3c82.exe
Verdict:
Malicious activity
Analysis date:
2024-03-18 07:38:13 UTC
Tags:
amadey botnet stealer loader lumma redline evasion exela python stealc risepro
Link:
https://app.any.run/tasks/54596f04-0187-45eb-a744-dce0c5e19632

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.11126.3471.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Launching a process
Creating a process from a recently created file
Moving a file to the Program Files subdirectory
Replacing files
Creating a process with a hidden window
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65f7e981757c624818b1f13c/reports/2fb3af3b-42dd-4da4-ae73-cf1629f5dbc4/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/20b89a8296a96e52a88a481dfcc75233cc55a800eda489ff0a3adc978dba3c82
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb240079-6fb5-4307-8e80-8913444a26e5
Result
Threat name:
LummaC, Python Stealer, Amadey, LummaC S
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1410634
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Gathers network related connection and port information
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Generic Python Stealer
Yara detected LummaC Stealer
Yara detected Monster Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410634 Sample: EIrPdlD2lA.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 148 www.youtube.com 2->148 150 www.facebook.com 2->150 152 24 other IPs or domains 2->152 172 Snort IDS alert for network traffic 2->172 174 Multi AV Scanner detection for domain / URL 2->174 176 Found malware configuration 2->176 178 29 other signatures 2->178 11 explorgu.exe 3 54 2->11         started        16 random.exe 2->16         started        18 EIrPdlD2lA.exe 5 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 164 185.215.113.32 WHOLESALECONNECTIONSNL Portugal 11->164 166 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 11->166 170 2 other IPs or domains 11->170 116 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 11->116 dropped 118 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 11->118 dropped 130 24 other malicious files 11->130 dropped 234 Antivirus detection for dropped file 11->234 236 Detected unpacking (changes PE section rights) 11->236 238 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->238 254 3 other signatures 11->254 22 judith1234.exe 11->22         started        26 random.exe 11->26         started        29 osminog.exe 2 11->29         started        31 4 other processes 11->31 168 185.172.128.19 NADYMSS-ASRU Russian Federation 16->168 120 C:\Users\user\...\lxzikA5S_njL5Ux4Kfv_.exe, PE32 16->120 dropped 122 C:\Users\user\...\RwkV3wfCYHK7x4s1e2EH.exe, PE32 16->122 dropped 124 C:\Users\user\...\FOc0vko2dUQtUsbN6UWV.exe, PE32 16->124 dropped 132 5 other malicious files 16->132 dropped 240 Tries to steal Mail credentials (via file / registry access) 16->240 242 Tries to harvest and steal browser information (history, passwords, etc) 16->242 244 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->244 126 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 18->126 dropped 246 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 18->246 248 Tries to evade debugger and weak emulator (self modifying code) 18->248 250 Tries to detect virtualization through RDTSC time measurements 18->250 128 C:\Users\user\...\iRNNsZVF8xpVqu0g4KzsAKD.zip, Zip 20->128 dropped 252 Machine Learning detection for dropped file 20->252 file6 signatures7 process8 dnsIp9 100 C:\Users\user\AppData\...\_quoting_c.pyd, PE32+ 22->100 dropped 102 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 22->102 dropped 104 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 22->104 dropped 112 32 other files (31 malicious) 22->112 dropped 204 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->204 33 stub.exe 22->33         started        160 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 26->160 162 db-ip.com 104.26.4.15 CLOUDFLARENETUS United States 26->162 106 C:\Users\user\...\uthWBx40H33YGq6qGJDP.exe, PE32 26->106 dropped 108 C:\Users\user\...\KE8cTMbT2lSGkunBos70.exe, PE32 26->108 dropped 110 C:\Users\user\...\Ivn61uyjzfQG7FkWXQWZ.exe, PE32 26->110 dropped 114 11 other malicious files 26->114 dropped 206 Detected unpacking (changes PE section rights) 26->206 208 Tries to steal Mail credentials (via file / registry access) 26->208 210 Creates multiple autostart registry keys 26->210 226 4 other signatures 26->226 38 schtasks.exe 26->38         started        50 3 other processes 26->50 212 Found many strings related to Crypto-Wallets (likely being stolen) 29->212 214 Contains functionality to inject code into remote processes 29->214 216 Writes to foreign memory regions 29->216 218 LummaC encrypted strings found 29->218 40 RegAsm.exe 29->40         started        42 conhost.exe 29->42         started        220 System process connects to network (likely due to code injection or exploit) 31->220 222 Allocates memory in foreign processes 31->222 224 Injects a PE file into a foreign processes 31->224 44 rundll32.exe 23 31->44         started        46 RegAsm.exe 31->46         started        48 chrome.exe 31->48         started        52 4 other processes 31->52 file10 signatures11 process12 dnsIp13 134 ip-api.com 208.95.112.1 TUT-ASUS United States 33->134 136 raw.githubusercontent.com 185.199.110.133 FASTLYUS Netherlands 33->136 146 2 other IPs or domains 33->146 98 C:\Users\user\AppData\Local\...\Monster.exe, PE32+ 33->98 dropped 180 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 33->180 182 Tries to harvest and steal browser information (history, passwords, etc) 33->182 184 Modifies the windows firewall 33->184 202 3 other signatures 33->202 54 cmd.exe 33->54         started        56 cmd.exe 33->56         started        58 cmd.exe 33->58         started        63 14 other processes 33->63 61 conhost.exe 38->61         started        138 resergvearyinitiani.shop 172.67.217.100 CLOUDFLARENETUS United States 40->138 186 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->186 188 Query firmware table information (likely to detect VMs) 40->188 190 Found many strings related to Crypto-Wallets (likely being stolen) 40->190 192 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 40->192 194 Tries to steal Instant Messenger accounts or passwords 44->194 196 Uses netsh to modify the Windows network and firewall settings 44->196 198 Tries to harvest and steal ftp login credentials 44->198 65 2 other processes 44->65 140 4.185.137.132 LEVEL3US United States 46->140 200 Tries to steal Crypto Currency Wallets 46->200 142 192.168.2.5 unknown unknown 48->142 144 239.255.255.250 unknown Reserved 48->144 68 2 other processes 48->68 71 2 other processes 50->71 73 2 other processes 52->73 file14 signatures15 process16 dnsIp17 75 systeminfo.exe 54->75         started        88 3 other processes 54->88 78 WMIC.exe 56->78         started        80 conhost.exe 56->80         started        228 Tries to harvest and steal WLAN passwords 58->228 90 2 other processes 58->90 82 conhost.exe 63->82         started        92 25 other processes 63->92 96 C:\Users\user\...\246122658369_Desktop.zip, Zip 65->96 dropped 84 conhost.exe 65->84         started        86 conhost.exe 65->86         started        154 www.youtube.com 68->154 156 www.facebook.com 68->156 158 8 other IPs or domains 68->158 file18 signatures19 process20 signatures21 230 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 75->230 94 WmiPrvSE.exe 75->94         started        232 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 78->232 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/20b89a8296a96e52a88a481dfcc75233cc55a800eda489ff0a3adc978dba3c82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20b89a8296a96e52a88a481dfcc75233cc55a800eda489ff0a3adc978dba3c82/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-03-18 07:13:06 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ec4jvauwvfxffkekjao7zr2sgpgflkaa5wsit7ykhlojpdn2hsba._file
Verdict:
malicious
Similar samples:
37950119cdd0165154841c1fa0803dacccb63012561ea77cb11a787e2c0fa588
zgRAT
3c821865122401bed04e7f7d161cc2158ee65d4a3b707cd0de1c2e5ac29e756b
zgRAT
496278998f3dbc4bd9cc37ee7e9628cc7a8372f55cb65c5f143b6723bec46096
zgRAT
614ae605266b9829b5577ebd8562f5fadb2ef82337597d32e54c8ace9f1ea25c
zgRAT
842360492263c33b06bbe3d241a035b29bf29900066d29b3267f000eee07e6a2
zgRAT
a9e7826e1404e06fb6b073ff5e025313612b5aec22121aba299c72b86749e9bf
zgRAT
c9e1de1c6ddd3ffd9c87ebdbcf9bd5b7064af9f60f650ae50573b05a49af8327
zgRAT
d30b5b0e8c5a0e5dd3c4191e05aacf42c4e46781872097f7acb2f148539e174b
zgRAT
dfa384f6136c43639f6c66766ca81c245e65a70fcf92015656b1cd7a579a3647
zgRAT
+ 11 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma family:redline family:zgrat botnet:livetraffic evasion infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/240318-h13zaabb47/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detect ZGRat V1
Lumma Stealer
RedLine
RedLine payload
ZGRat
Malware Config
C2 Extraction:
http://185.215.113.32
4.185.137.132:1632
https://resergvearyinitiani.shop/api
https://colorfulequalugliess.shop/api
Unpacked files
SH256 hash:
d50527fd28056ad4790130832d748f3a1fdd876af5dd1afef58c8fcd2514ee8e
MD5 hash:
4f9bea29ef73fb08eb77a4e4434b2395
SHA1 hash:
c4dd1a098fa845dfd33760743977ba6c00cc4f53
Detections:
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/98f737b6-05ab-4655-901d-11c189613b1a/
SH256 hash:
20b89a8296a96e52a88a481dfcc75233cc55a800eda489ff0a3adc978dba3c82
MD5 hash:
4f17ae42ec9072ad980e3a141e0de8ec
SHA1 hash:
eefee2367bff4605a644a6c5971ec72afd0a1298
Link:
https://www.unpac.me/results/98f737b6-05ab-4655-901d-11c189613b1a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/20b89a8296a9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20b89a8296a96e52a88a481dfcc75233cc55a800eda489ff0a3adc978dba3c82

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe 20b89a8296a96e52a88a481dfcc75233cc55a800eda489ff0a3adc978dba3c82

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2761196/
  
URLhaus
https://urlhaus.abuse.ch/url/2759927/
  
URLhaus
https://urlhaus.abuse.ch/url/2757406/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments


Avatar
zbet commented on 2024-03-18 07:12:23 UTC

url : hxxp://193.233.132.167/mine/amert.exe