MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e526b3159d26b4b5055af4b556cf0114c7d225c507b890cf9aef83527ed26bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

zgRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	2e526b3159d26b4b5055af4b556cf0114c7d225c507b890cf9aef83527ed26bb
SHA3-384 hash:	debe4b68ad7ce4f3547186453bf8b91fa7d70c1f366870b89347013650c3e807e8e957cb792591fcb6225ae6bc02f395
SHA1 hash:	c6631f5e6532739466e68eed2cdbae13dc03be65
MD5 hash:	a9415292576d7d43c38bdbad23b445d7
humanhash:	mississippi-echo-triple-sodium
File name:	Pecxxgetfb.exe
Download:	download sample
Signature	zgRAT Create hunting rule
File size:	1'941'504 bytes
First seen:	2024-02-20 10:36:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	49152:2pS63bhVbThsSAaBDBJBbxiuqdJh/iTJRfq8V2:2LhtT2HQNJBbxNqx/iv9
Threatray	124 similar samples on MalwareBazaar
TLSH	T11195E00A37164BA2D7AE5F36E46B810403E1D95AA3D7D70BB2C913A716773BACF41243
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	lowmal3
Tags:	exe zgRAT

Intelligence

File Origin

# of uploads :

# of downloads :

308

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/477036/

Detection(s):

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Win.Trojan.EmbeddedReversedDLL-9940922-0

Win.Trojan.Generic-10014419-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Connection attempt to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

net_reactor packed packed

Link:

https://www.filescan.io/uploads/65d480d422703c3491a75f8f/reports/5a22d384-0397-4dd0-abc5-ceb3ef728a84/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/2e526b3159d26b4b5055af4b556cf0114c7d225c507b890cf9aef83527ed26bb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

MassLogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/01191478-91b5-46ac-b521-b8fe09b9a98e

Result

Threat name:

PureLog Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1395193

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2e526b3159d26b4b5055af4b556cf0114c7d225c507b890cf9aef83527ed26bb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2e526b3159d26b4b5055af4b556cf0114c7d225c507b890cf9aef83527ed26bb/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-02-16 10:10:19 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fzjgwmkz2jvuwucvv5fvk3hqcfgh2is4kb5ysdhzv34dkj7ne25q._file

Verdict:

malicious

zgRAT

2e526b3159d26b4b5055af4b556cf0114c7d225c507b890cf9aef83527ed26bb

zgRAT

3298664374264a54bf1478c665c3d1bd92042a7bd41c60c8374ac88a9e5c9123

zgRAT

98d7e80ac0ee8ffbeb51fd3273e5d5cb7236f24123af2f112bc62083d4411a74

zgRAT

ccfb1b97034d2b697c953a4447b4226e83cd421487f10dc7facc56e630833068

zgRAT

+ 114 additional samples on MalwareBazaar

Result

Malware family:

zgrat

Score:

10/10

Tags:

family:zgrat persistence rat

Link:

https://tria.ge/reports/240220-mns1rsfa5x/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Detect ZGRat V1

ZGRat

Unpacked files

SH256 hash:

2e526b3159d26b4b5055af4b556cf0114c7d225c507b890cf9aef83527ed26bb

MD5 hash:

a9415292576d7d43c38bdbad23b445d7

SHA1 hash:

c6631f5e6532739466e68eed2cdbae13dc03be65

Detections:

Typical_Malware_String_Transforms

Link:

https://www.unpac.me/results/d13cb027-8571-42be-843e-7ccf4c9f6637/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

zgRAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2e526b3159d26b4b5055af4b556cf0114c7d225c507b890cf9aef83527ed26bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zgRAT

exe 2e526b3159d26b4b5055af4b556cf0114c7d225c507b890cf9aef83527ed26bb

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/477036/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample