MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 218150c8d3e13fd5de782d48a45433b76d64a4f82feb9e4853543b1c8a9a1498. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 218150c8d3e13fd5de782d48a45433b76d64a4f82feb9e4853543b1c8a9a1498
SHA3-384 hash: 30efd6898d888ff1a7039b47e6faea6d5ac80a2f75747596efed8c604244767aa8284fac8a6093b3efee92e573bed20d
SHA1 hash: c9c3d63a7fa8f99766fb0560dd14a70e90e57c4a
MD5 hash: 21fc808d0840be3366ef79e5a15c51a4
humanhash: timing-quiet-five-romeo
File name:21fc808d0840be3366ef79e5a15c51a4
Download: download sample
Signature zgRAT
Create hunting rule
File size:1'318'912 bytes
First seen:2023-02-03 07:17:29 UTC
Last seen:2023-02-03 09:32:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:X2hfjFNHUaymttZedE59j8fmVuXQ54jNg6QDloO7pe54ZHW4WASSxqHs9Enat0N+:QjDUaFbwWqW6H5QHWjiqH67V0AMwrdb
Threatray 890 similar samples on MalwareBazaar
TLSH T1775501F66D8E70EAD4D536BC358A2E164B9DFD82256FCC60338165ACC09A250BF587CC
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
21fc808d0840be3366ef79e5a15c51a4
Verdict:
Malicious activity
Analysis date:
2023-02-03 07:21:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/59c88232-5087-4098-97fb-60e4b9f7fdca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/359770/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.60420.10821.8710.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive packed
Link:
https://www.filescan.io/uploads/63dcb52b1c9cbf7d62558624/reports/0f5e212a-05c2-4882-968c-69edfc038a1a/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/218150c8d3e13fd5de782d48a45433b76d64a4f82feb9e4853543b1c8a9a1498
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e0380e4c-234e-45b0-86b9-b0f7598e81d5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1164893
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Encrypted powershell cmdline option found
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/218150c8d3e13fd5de782d48a45433b76d64a4f82feb9e4853543b1c8a9a1498/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-02-03 07:18:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=egavbsgt4e75lxtyfvekivbtw5wwjjhyf7vz4sctkq5rzcu2csma._file
Verdict:
malicious
Similar samples:
069f26b91b13d2ebbca88ac98894e859995555a2559cbb274383a9379b98a61a
zgRAT
08c5de8e4d3c038e2385643b3201122ac43f7e09d21b89e42a2186a66fae3434
zgRAT
106e615cf4c53bf171b4dfc288bdddb82e3eddb407399bc18488cd2483f9d871
zgRAT
189df98f0de9676700b0d3e8d19cb4d6b33fa23313d435845dfa76a808b39cbc
zgRAT
7965e9813714dba016ee3034616a12092c71818443a0c269d3ab8791b9883eec
zgRAT
a13d5f2dedff839d945268116a3ba08cc0d5e17ed2b519477d118b447c02929f
zgRAT
c8b995746f09979fc1ccd83a08dab8913aa88b9036b584cc60d72029e867dd1d
zgRAT
d6280fbc63a14ec4318051d72ad20b7ca0c6391f752264aaac2ecd1685bf746c
zgRAT
ec4b8c7407dce9428bfe6752b90cfd9dafe91d83e238102bf310c6deaeb21a01
zgRAT
+ 880 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230203-h4yhzafg5v/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Unpacked files
SH256 hash:
218150c8d3e13fd5de782d48a45433b76d64a4f82feb9e4853543b1c8a9a1498
MD5 hash:
21fc808d0840be3366ef79e5a15c51a4
SHA1 hash:
c9c3d63a7fa8f99766fb0560dd14a70e90e57c4a
Link:
https://www.unpac.me/results/8d9db3f2-0e31-4b82-ba85-defa3da9446e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/218150c8d3e13fd5de782d48a45433b76d64a4f82feb9e4853543b1c8a9a1498

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

zgRAT

Executable exe 218150c8d3e13fd5de782d48a45433b76d64a4f82feb9e4853543b1c8a9a1498

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2528681/
Cape
Cape
https://www.capesandbox.com/analysis/359770/
  
URLhaus
https://urlhaus.abuse.ch/url/2528894/

Comments


Avatar
zbet commented on 2023-02-03 07:17:45 UTC

url : hxxp://45.15.159.123/QaUpdate.exe