MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c
SHA3-384 hash: 836e3dbcae248757134c63514ffa53d6e1effdea6f6996b7aa875c3b87c170333d2833eb02aa870b411eb337fb5aa561
SHA1 hash: 4d7390da7f5c4bf6127fbb3d793e8917a47c45bb
MD5 hash: 27e482c64f1b9035e550ac07f1d30f2c
humanhash: six-echo-spring-cola
File name:DOC Maquinas-0215522-23.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:1'093'632 bytes
First seen:2023-03-22 15:54:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:iOt4pogcgotnPXWZsPxIexTmad12j+iVb4ZdQT/ijLC7aX6zLTisxEZONerixVHk:mojjlgsxZG28K3cesxKkMcyPQTnK
Threatray 1'719 similar samples on MalwareBazaar
TLSH T1BA3523017AABCA73C12D55BB91E6205193F2C35766A3F78B3EC441E91E43FD84A12AD3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 32c29292b2e88e82 (7 x Formbook, 6 x RemcosRAT, 2 x AgentTesla)
Reporter abuse_ch
Tags:exe RAT zgRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
DOC Maquinas-0215522-23.exe
Verdict:
Malicious activity
Analysis date:
2023-03-22 15:55:28 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/4c6a6f34-d927-4364-bfbd-870c1ce895ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376511/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/641b249cda1bbe29caf98753/reports/c584f805-1ecd-46af-9490-7ea86a8b6029/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3e796486-260e-4c40-8fa9-9db8aa04aafc
Result
Threat name:
Remcos, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1199569
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 832480 Sample: DOC_Maquinas-0215522-23.exe Startdate: 22/03/2023 Architecture: WINDOWS Score: 100 73 fresh03.ddns.net 2->73 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus / Scanner detection for submitted sample 2->79 81 Sigma detected: Scheduled temp file as task from temp location 2->81 83 10 other signatures 2->83 10 DOC_Maquinas-0215522-23.exe 7 2->10         started        14 SEfmfXm.exe 3 2->14         started        16 remcos.exe 4 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 65 C:\Users\user\AppData\Roaming\SEfmfXm.exe, PE32 10->65 dropped 67 C:\Users\user\...\SEfmfXm.exe:Zone.Identifier, ASCII 10->67 dropped 69 C:\Users\user\AppData\Local\...\tmpF2AF.tmp, XML 10->69 dropped 71 C:\Users\...\DOC_Maquinas-0215522-23.exe.log, ASCII 10->71 dropped 93 Contains functionality to bypass UAC (CMSTPLUA) 10->93 95 Contains functionality to steal Chrome passwords or cookies 10->95 97 Uses schtasks.exe or at.exe to add and modify task schedules 10->97 105 3 other signatures 10->105 20 DOC_Maquinas-0215522-23.exe 2 4 10->20         started        23 powershell.exe 17 10->23         started        25 schtasks.exe 1 10->25         started        27 DOC_Maquinas-0215522-23.exe 10->27         started        99 Antivirus detection for dropped file 14->99 101 Multi AV Scanner detection for dropped file 14->101 103 Machine Learning detection for dropped file 14->103 29 schtasks.exe 16->29         started        31 remcos.exe 16->31         started        33 remcos.exe 16->33         started        35 schtasks.exe 18->35         started        37 remcos.exe 18->37         started        signatures6 process7 file8 61 C:\ProgramData\Remcos\remcos.exe, PE32 20->61 dropped 63 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 20->63 dropped 39 remcos.exe 5 20->39         started        42 conhost.exe 23->42         started        44 conhost.exe 25->44         started        46 conhost.exe 29->46         started        48 conhost.exe 35->48         started        process9 signatures10 85 Antivirus detection for dropped file 39->85 87 Multi AV Scanner detection for dropped file 39->87 89 Machine Learning detection for dropped file 39->89 91 Adds a directory exclusion to Windows Defender 39->91 50 remcos.exe 39->50         started        53 powershell.exe 39->53         started        55 schtasks.exe 39->55         started        process11 dnsIp12 75 fresh03.ddns.net 103.169.34.187, 34110, 49696, 49697 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 50->75 57 conhost.exe 53->57         started        59 conhost.exe 55->59         started        process13
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-22 15:54:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fdbs6cgbi4kjmbjpkf7oimyt7bwdr52l34azi4dxgvlucv5c2voa._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
0f27e5f647e28a535aa0ab9dde5c707150431f10c62d12f1e192ea02d698b3e4
zgRAT
0f8c7d288333c8d1c5d450abeaf869de3d58eb5e8d16138c52b0391cf7a645cc
zgRAT
1cdd50cbdf51d44354d596e4a1f8a3fee6268362ffdce61b608322bba56ebdb0
zgRAT
284232020b34f4cf7a8fc750b17821055f93426351f8450654141a5ee1326798
zgRAT
28894ebd9537959f6d45cb8f5cd21fcff66472820f5e8bcc6944276fa32c2623
zgRAT
52062e748f2857bf6bc3161cdfade85ec042d45093673514ca1787f7216a70f3
zgRAT
7e09b162052fa0f01f2d48609446e1cc66fea01afa412d5aee4cca9afa98fe52
zgRAT
df98e5b50efcf7aedf479030e51ca5b9990fad9f0d20d729bb106198ddee923e
zgRAT
e1c89005d0db76c1bc3337a5ff30027e72e2850cfefb54f2768fa1ad02e4dfdf
zgRAT
f3c280a30bfcb13a09179451fc8a2885ea9a95258ee5b52bfd24a1caf7896e54
zgRAT
+ 1'709 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:upgraded001 persistence rat
Link:
https://tria.ge/reports/230322-tb73gsbf6v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Malware Config
C2 Extraction:
fresh03.ddns.net:34110
Unpacked files
SH256 hash:
558e0632328001fb7b8be2abf31eafc4ea6f572841c408429fcab72583b06327
MD5 hash:
ecc5dcc2516679997789bbb404a800f3
SHA1 hash:
c939c88bb6edff69e70a8bd21309c5fedeb573ba
Link:
https://www.unpac.me/results/2640f125-b17f-4e10-bc93-a28d04bf8333/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/2640f125-b17f-4e10-bc93-a28d04bf8333/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
f07b5f30dd3d765bce627a4ec2702f6cb6b10e09f90314eb6b64165770e7b2a2
MD5 hash:
dadd3c7b9a777af1793fbe703316c858
SHA1 hash:
1718492843d16a5d0b44fb505ddc4988a77e5100
Link:
https://www.unpac.me/results/2640f125-b17f-4e10-bc93-a28d04bf8333/
SH256 hash:
0b5ffa0d5379ee86e6bdcc5cab439c437e2e1a47eb7bbea23532e2327780e812
MD5 hash:
571d62cd3e427278cc2c2a2bc402bc32
SHA1 hash:
13e54c67783adb3384481c796fe6e53eeb7778af
Link:
https://www.unpac.me/results/2640f125-b17f-4e10-bc93-a28d04bf8333/
SH256 hash:
eb99b9052fb1b154c9731f36fca6c148da71b530f530994427e8886e36f8dffe
MD5 hash:
5d9356dc1909e3385a1b77a1032fecd0
SHA1 hash:
052ee55ae083fe331d00ea3335cd3f68cd08ffdc
Detections:
Remcos
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/2640f125-b17f-4e10-bc93-a28d04bf8333/
Parent samples :
28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c
3d1a75579ef0717708782f63318b36e8dc0356fc477370ad9c69feac793a6a95
50ca98ba2d54858b97cbbfff758edf7f81a29a8a4884a4319ae994cb8a434de3
f3e4dd541766cd7a3af91ef964b91ded632f13ebe69bd4fb5eadd563c0207059
2e4c6cc30705e1398ea19d064bd7cfba58448798a81f3c89b86fa66750904a7b
SH256 hash:
28c32f08c1471496052f517ee43313f86c38f74bdf0194707735574157a2d55c
MD5 hash:
27e482c64f1b9035e550ac07f1d30f2c
SHA1 hash:
4d7390da7f5c4bf6127fbb3d793e8917a47c45bb
Link:
https://www.unpac.me/results/2640f125-b17f-4e10-bc93-a28d04bf8333/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/28c32f08c147/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_zgRAT
Create hunting rule
Author:ditekSHen
Description:Detects zgRAT
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/376511/

Comments