MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30c4f5d3a9bc4ea1c8dd362095d5621bb50403b1a592b83ee3d9c3658bd7a8d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


zgRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30c4f5d3a9bc4ea1c8dd362095d5621bb50403b1a592b83ee3d9c3658bd7a8d1
SHA3-384 hash: 24cd7afe68b0eb3627df52ef56f2cfc46e00cb19695b494ce559f34ac510635f61ccf8677910e3fed14813b23c88bcea
SHA1 hash: 26b2f295887722e744b557cc8cf43e86c20f2450
MD5 hash: 3da00651de2aca0449afa220de5979fb
humanhash: cola-edward-potato-river
File name:mixazed_20210730-085800
Download: download sample
Signature zgRAT
Create hunting rule
File size:651'264 bytes
First seen:2021-07-30 08:43:14 UTC
Last seen:2021-07-30 09:56:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:/4mHFQm2BOUamTo4NchWmdi0MgOSP0kIb/WU5Nxk:jWxHamToHW10MbSPuWG
Threatray 481 similar samples on MalwareBazaar
TLSH T1AED40137A6009DB7C6EB57FEC097CA4C0E715D2B2F92581E64DA329D76B7052B30262C
dhash icon f1ccc6e6b0dc7182 (1 x zgRAT)
Reporter benkow_
Tags:exe zgRAT


Avatar
benkow_
C2: pure.banker-info.org:91

Intelligence

File Origin
# of uploads :
2
# of downloads :
582
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mixazed_20210730-085800
Verdict:
Malicious activity
Analysis date:
2021-07-30 08:45:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9cabdb5d-c7a9-4524-81a0-7103444ffb25

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175247/
Detection(s):
SecuriteInfo.com.Base64_encoded_Executable.269.2801.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc8d6976-028e-4c14-9a06-cac23f914853
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/824373
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30c4f5d3a9bc4ea1c8dd362095d5621bb50403b1a592b83ee3d9c3658bd7a8d1/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 08:44:07 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gdcplu5jxrhkdsg5gyqjlvlcdo2qia5ruwjlqpxd3hbwlc6xvdiq._file
Verdict:
unknown
Similar samples:
163dbf95558cd288990fb6e6d84643d879abf23e8a5910cdd592d74c24f7fbd0
zgRAT
381d4a53dc6d69491c703d2f35888b64a675c2b3de8f6572720828dd428a359b
zgRAT
4065ef6148d82e9b20fb8fb21b7969636fdc0218259f069adffabd3b2882cc81
zgRAT
59a7beab1c7583b7995b157e9e87beb6fa0785c49784bf0b9d13bd143a696541
zgRAT
5b832740ae1f2a5c2c10e37aadd6d0b74d647a9ff853f091a2262ef0ae2c672c
zgRAT
5d8cff06f1b044d037c27e8f3fbdf0b638dbe4049252e3484eadfbd97e96db4e
zgRAT
675cd0caf836da2ead5494d743d55c6f97f68d5347c967d7464296a16c62ddd4
zgRAT
6ffa008d9c18433dfb729075105f7837874da4b96d22c7718f360558f9aeaa0a
zgRAT
82426d67e219a1d9ac41d9bd9e3d4a74beb90472176320a5ace56d295ce3dd9c
zgRAT
+ 471 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210730-wv6mjzdgkn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
ede6675d1acdcc6d1d465079366cd8c4098faca0dc9f9bdcd945db58b1d3b4d2
MD5 hash:
7680811e34f1b8fe5d8f833f89d1e20d
SHA1 hash:
fd16ca31080990973c821b53e2763ac39f5b4921
Link:
https://www.unpac.me/results/ca5aeab9-7c62-4641-8e75-fad5916d36d6/
SH256 hash:
0bb039c386ea3f9ba2c1d59ea8ea0027844a5d895c0103e9e99ec0ea93b6f0c3
MD5 hash:
f05dd4802aa906bc477c728781e58275
SHA1 hash:
8cc56f1c572ec349e2d388f57c63ac0814c7d637
Link:
https://www.unpac.me/results/ca5aeab9-7c62-4641-8e75-fad5916d36d6/
SH256 hash:
ad9e815e119143518e0f06a31fa9cdb5f5643378bd43f270e9b4124af91564cf
MD5 hash:
e00c0cfbb49dc7171922b4831e2a6bad
SHA1 hash:
63e61227e87ce16b457184b70ac9d97db4af5a2d
Link:
https://www.unpac.me/results/ca5aeab9-7c62-4641-8e75-fad5916d36d6/
SH256 hash:
30c4f5d3a9bc4ea1c8dd362095d5621bb50403b1a592b83ee3d9c3658bd7a8d1
MD5 hash:
3da00651de2aca0449afa220de5979fb
SHA1 hash:
26b2f295887722e744b557cc8cf43e86c20f2450
Link:
https://www.unpac.me/results/ca5aeab9-7c62-4641-8e75-fad5916d36d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/30c4f5d3a9bc4ea1c8dd362095d5621bb50403b1a592b83ee3d9c3658bd7a8d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
GCleaner
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/175247/

Comments