MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ce11a112031c497d893553ca790b26db895492a24d48d8279d7da4defa27624. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ce11a112031c497d893553ca790b26db895492a24d48d8279d7da4defa27624
SHA3-384 hash: 9ef88ec7860bb3ce1b6ce172ef70aa67dd8b6bef2feae7021d48b63203bddc5e1d831d06643fcc327042a8e30f9dbc2f
SHA1 hash: 9e7225ad87a5933a2416c86600b33d177a7a3267
MD5 hash: 1c5d3c807a55a58eefd90e5ee551b33b
humanhash: mars-skylark-pluto-chicken
File name:1c5d3c807a55a58eefd90e5ee551b33b.exe
Download: download sample
Signature zgRAT
Create hunting rule
File size:584'192 bytes
First seen:2023-12-23 07:51:13 UTC
Last seen:2023-12-23 09:18:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:rX2lYZbxECsVYtL4+24pIfCUBFv8PNDTtkQusCSa1Z:rgVk4+JpudBV8FvtkQunSa
TLSH T116C4C01ABAA78D26F3880336D1D65850E3F84957A34BEB4E39C917E10C073A7E5067E7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe zgRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469113/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.15288.21468.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed stealer
Link:
https://www.filescan.io/uploads/658691a26b1c246046029100/reports/28eccae0-eff8-416e-804c-79ab79885a7c/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/2ce11a112031c497d893553ca790b26db895492a24d48d8279d7da4defa27624
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eba73556-7128-4c1f-8085-2d4de1b1c1b4
Result
Threat name:
RedLine, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366475
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1366475 Sample: 1xb6lZcx0I.exe Startdate: 23/12/2023 Architecture: WINDOWS Score: 100 27 api.ip.sb 2->27 31 Snort IDS alert for network traffic 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 7 other signatures 2->37 8 1xb6lZcx0I.exe 1 2->8         started        11 qemu-ga.exe 2->11         started        signatures3 process4 signatures5 41 Found many strings related to Crypto-Wallets (likely being stolen) 8->41 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->43 45 Writes to foreign memory regions 8->45 47 2 other signatures 8->47 13 RegAsm.exe 15 6 8->13         started        18 WerFault.exe 22 16 8->18         started        20 conhost.exe 8->20         started        process6 dnsIp7 29 193.163.170.185, 49704, 80 TDCTDCASDK Denmark 13->29 25 C:\Users\user\AppData\Roaming\...\qemu-ga.exe, PE32 13->25 dropped 49 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->49 51 Found many strings related to Crypto-Wallets (likely being stolen) 13->51 53 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->53 55 3 other signatures 13->55 22 qemu-ga.exe 13->22         started        file8 signatures9 process10 signatures11 39 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->39
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2ce11a112031c497d893553ca790b26db895492a24d48d8279d7da4defa27624
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ce11a112031c497d893553ca790b26db895492a24d48d8279d7da4defa27624/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-12-23 07:52:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ftqruejaghcjpwetku6kpefsnw4jksjketki3atz27ne335coysa._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat discovery rat spyware stealer
Link:
https://tria.ge/reports/231223-jqdr3shae4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detect ZGRat V1
ZGRat
Unpacked files
SH256 hash:
f33114ed21993c5bd95724f8bc621f60aa632bc6a0afcbe3d8fd49ea6acc2636
MD5 hash:
59bcc362fa5045353f3759d4e60c381f
SHA1 hash:
fa2428f40f58076f35b51de5e4a4fae6a5082a23
Detections:
redline
Create hunting rule
MALWARE_Win_zgRAT
Create hunting rule
Link:
https://www.unpac.me/results/fda4e674-751b-4d32-b194-c8a01847a12b/
SH256 hash:
2ce11a112031c497d893553ca790b26db895492a24d48d8279d7da4defa27624
MD5 hash:
1c5d3c807a55a58eefd90e5ee551b33b
SHA1 hash:
9e7225ad87a5933a2416c86600b33d177a7a3267
Link:
https://www.unpac.me/results/fda4e674-751b-4d32-b194-c8a01847a12b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2ce11a112031/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2ce11a112031c497d893553ca790b26db895492a24d48d8279d7da4defa27624

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/469113/

Comments