MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23ecba0be777d9b7a5683d0939d9ae17c4427c46e51ff959e91785d83c60efd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23ecba0be777d9b7a5683d0939d9ae17c4427c46e51ff959e91785d83c60efd1
SHA3-384 hash: 2362712e14cec5543e5dfbaaa7071b27b991de66907a19ddbd1d45197f4a743e4c13162d59abcc67639384ed8b9d5410
SHA1 hash: 27899142d055dcce7ad3288028c8e3187421275c
MD5 hash: b8162dccc95c2ed40a3fd946dd127242
humanhash: magnesium-nuts-undress-september
File name:Voice.ai-Downloader-alphaver-9aab5f151e93466090a2c1fe0b2e9d6e(1).exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:488'104 bytes
First seen:2023-11-22 08:15:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5f0c714c36e6cc016b3a1f4bc86559e4 (199 x GuLoader, 14 x Formbook, 4 x AgentTesla)
ssdeep 3072:AkBGWOsTIJgIDU5A/cto68pMABlZQ2wpFD0ravSGKBUGYDxJ0y5t8:A1ssjn5Mp2w7g+VKvSA
TLSH T1D8A46270FF02F12BFBC8D4F811B8AE0EC4AFEC8A76954951421A1695CF39B94F9B4548
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6871f0f2d6ec7830 (1 x zgRAT, 1 x GuLoader)
Reporter moshsrv
Tags:ai exe signed zgRAT

Code Signing Certificate

Organisation:Voice AI LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2023-06-14T00:00:00Z
Valid to:2024-06-13T23:59:59Z
Serial number: 0d2f2a7563f6dbdf988edb03fe575933
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 73992d385403b0a23d0fd35d8730dea8d6398cb591fd36e459ecc8c5dbd13ba9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
PT PT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Voice.ai-Downloader-alphaver-9a5d98fa127c4f228e3bb79ed49c1aa9.exe
Verdict:
Malicious activity
Analysis date:
2023-10-15 07:51:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e4f9af57-329b-4f5e-8bed-5dd8f85945bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459674/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/655db8c228f567025c7e8055/reports/6a750b47-b9e1-4510-8598-e0c53491243b/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/23ecba0be777d9b7a5683d0939d9ae17c4427c46e51ff959e91785d83c60efd1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3ac51c2e-8508-488b-8636-91d00c299890
Result
Threat name:
zgRAT
Create hunting rule
Detection:
suspicious
Classification:
troj.evad
Score:
32 / 100
Link:
https://www.joesandbox.com/analysis/1346300
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Drops large PE files
Tries to open files direct via NTFS file id
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1346300 Sample: Voice.ai-Downloader-alphave... Startdate: 22/11/2023 Architecture: WINDOWS Score: 32 99 Yara detected zgRAT 2->99 101 .NET source code contains potential unpacker 2->101 103 .NET source code contains method to dynamically call methods (often used by packers) 2->103 8 Voice.ai-Downloader-alphaver-9aab5f151e93466090a2c1fe0b2e9d6e(1).exe 1 41 2->8         started        13 svchost.exe 2->13         started        15 explorer.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 81 104.26.7.223 CLOUDFLARENETUS United States 8->81 83 172.64.154.72 CLOUDFLARENETUS United States 8->83 73 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 8->73 dropped 75 C:\Users\user\AppData\Local\...\System.dll, PE32 8->75 dropped 77 C:\Users\user\AppData\Local\...\INetC.dll, PE32 8->77 dropped 79 C:\Users\user\...\Voice.ai-Installer[1].exe, PE32 8->79 dropped 107 Drops large PE files 8->107 19 VoiceAI-Installer.exe 13 163 8->19         started        22 drvinst.exe 13->22         started        25 drvinst.exe 13->25         started        27 VoiceAI.exe 15->27         started        85 23.221.242.90 TISCALI-IT United States 17->85 87 127.0.0.1 unknown unknown 17->87 29 VoiceAI.exe 17->29         started        32 VoiceAI.exe 17->32         started        34 VoiceAI.exe 17->34         started        36 3 other processes 17->36 file5 signatures6 process7 dnsIp8 57 C:\Users\user\AppData\Local\...\System.dll, PE32 19->57 dropped 59 C:\Users\user\AppData\Local\...\INetC.dll, PE32 19->59 dropped 61 C:\...\onnxruntime_providers_shared.dll, PE32+ 19->61 dropped 65 31 other files (none is malicious) 19->65 dropped 38 vc2019.exe 3 19->38         started        41 VoiceAI.exe 1 11 19->41         started        43 explorer.exe 19->43         started        105 Tries to open files direct via NTFS file id 22->105 63 C:\Windows\System32\...\SET39B7.tmp, PE32+ 25->63 dropped 45 VoiceAI.exe 27->45         started        48 VoiceAI.exe 27->48         started        50 VoiceAI.exe 27->50         started        52 4 other processes 27->52 89 172.253.122.94 GOOGLEUS United States 29->89 91 104.16.123.175 CLOUDFLARENETUS United States 29->91 file9 signatures10 process11 dnsIp12 67 C:\Windows\Temp\...\vc2019.exe, PE32 38->67 dropped 54 vc2019.exe 63 38->54         started        69 C:\Users\user\AppData\Local\...\SET34F4.tmp, PE32+ 41->69 dropped 93 142.251.163.94 GOOGLEUS United States 45->93 95 172.253.62.95 GOOGLEUS United States 45->95 97 3 other IPs or domains 45->97 file13 process14 file15 71 C:\Windows\Temp\...\wixstdba.dll, PE32 54->71 dropped
Score:
18%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/23ecba0be777d9b7a5683d0939d9ae17c4427c46e51ff959e91785d83c60efd1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23ecba0be777d9b7a5683d0939d9ae17c4427c46e51ff959e91785d83c60efd1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=epwluc7ho7m3pjlihuettwnoc7cee7cg4up7swpjc6c5qpda57iq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231122-j548ksbh2x/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Enumerates physical storage devices
Drops file in Program Files directory
Loads dropped DLL
Unpacked files
SH256 hash:
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
MD5 hash:
05450face243b3a7472407b999b03a72
SHA1 hash:
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
Link:
https://www.unpac.me/results/5da5c7ef-0291-4650-94e6-676dd051f675/
SH256 hash:
9bd8af319646fa1d82439c18193b0eee79b3e1da4dc75b181a16cbac1599acf2
MD5 hash:
5c2c51ddd07640654895123753de3509
SHA1 hash:
e4e155ebaf4a30b0e5a1b1b5da49f61857b3445c
Link:
https://www.unpac.me/results/5da5c7ef-0291-4650-94e6-676dd051f675/
SH256 hash:
2e9d28d74934cc7e261b0cdcf7bbef7e3ddd4d02aba827ecc852d536613c674f
MD5 hash:
b855db1271bf088a121ac23292edb4e2
SHA1 hash:
a0dd08aa3d3dfe9d835b132102b24846b65ab84f
Link:
https://www.unpac.me/results/5da5c7ef-0291-4650-94e6-676dd051f675/
SH256 hash:
23ecba0be777d9b7a5683d0939d9ae17c4427c46e51ff959e91785d83c60efd1
MD5 hash:
b8162dccc95c2ed40a3fd946dd127242
SHA1 hash:
27899142d055dcce7ad3288028c8e3187421275c
Link:
https://www.unpac.me/results/5da5c7ef-0291-4650-94e6-676dd051f675/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/23ecba0be777d9b7a5683d0939d9ae17c4427c46e51ff959e91785d83c60efd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/459674/

Comments